Update: Seven hours after this article was published, Belkin representatives issued a statement saying most of the vulnerabilities IOActive reported had been patched in January, in version 3949 of of the WeMo firmware. The statement also said Belkin employees had been in contact with researchers about the vulnerabilities prior to Tuesday's report.

IOActive researcher Mike Davis said the extent of his communication with Belkin was a single phone call with an employee. Davis said he was never informed of any patches being issued for the WeMo firmware. The US-CERT advisory similarly stated there were no known fixes for the vulnerabilities. Below is the story as originally reported, followed by Belkin's statement, Davis's reply, and a representative's response to questions.

Security researchers have taken the unusual step of recommending that people stop using Belkin's WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.

WeMo products allow people to use smartphones and computers to remotely control light switches, Web cams, motion sensors, and other home appliances. Now the items are exposing the password and cryptographic signing key used to ensure that firmware updates are valid, according to an advisory published Tuesday by researchers from security firm IOActive. Attackers can use the credentials to bypass WeMo security checks and sign malicious firmware that masquerades as an official release from Belkin.

WeMo devices also fail to validate secure socket layer certificates when connecting to Belkin servers, even when the devices are running firmware that's fully up-to-date. What's more, firmware update notices are delivered through handsets or computers paired with the WeMo products and use a non-encrypted channel. IOActive Principle Research Scientist Mike Davis said he was able to combine exploits for those weaknesses into an attack that spoofed the RSS feed Belkin uses to push firmware updates to WeMo products. The counterfeit feeds, in turn, surreptitiously infected the devices with malware.

Unfettered access

The malware gains unfettered root access to the WeMo device and allows attackers to send commands to connected appliances. Attackers can also change the state of a connected device by exploiting a separate flaw in the universal plug and play implementation. A video demonstration posted last month shows how such an attack can be used to repeatedly turn on and off a small desk lamp. More malicious hacks could do similar things to heaters or other connected devices in the home. The vulnerabilities pose a risk because they could allow attackers to tamper with motion sensors used in home security systems, IOActive said.

"The firmware updates are encrypted using GPG, which is intended to prevent this issue," the IOActive advisory stated. "Unfortunately, Belkin misuses the GPG asymmetric encryption functionality, forcing it to distribute the firmware-signing key within the WeMo firmware image. Most likely, Belkin intended to use the symmetric encryption with a signature and a shared public key ring. Attackers could leverage the current implementation to easily sign firmware images."

Yet another vulnerability in WeMo products involves the way they use the session traversal utilities for NAT and traversal using relay NAT protocols to connect to the Internet. A lack of entropy generates globally unique identifiers that are easy to predict. The advisories come a few months after a separate researcher uncovered vulnerabilities in the WeMo baby monitor that could be exploited to turn it into an Internet-controlled bugging device.

IOActive reported the vulnerabilities to the US-CERT, which issued a separate advisory outlining the weaknesses. IOActive said it decided to recommend that people immediately stop using WeMo devices after Belkin representatives failed to respond to several private notifications CERT made about the threats.

"Due to Belkin not producing any fixes for the issues discussed, IOActive felt it important to release an advisory and recommends unplugging all devices from the affected WeMo products," representatives of the security firm wrote in an e-mail sent to Ars.

It remains unclear exactly what mitigating factors might prevent IOActive's proof-of-concept attacks from working as seamlessly as described. The advisories omit many technical details, most likely to make it harder for people who read them to carry out malicious hacks. If hackers can exploit these flaws without first guessing the password of a paired device or otherwise compromising the systems, it's easy to agree with IOActive's recommendation to immediately stop using WeMo products. But if the devices can be locked down using less draconian measures—for instance, by temporarily disabling automatic updating until the weaknesses are fixed—that may be a better course of action for some readers.

Davis said the use of firewalls to protect the devices is ineffective, given WeMo's use of protocols for bypassing network address translation. This article will be updated if Belkin representatives comment on the advisories.

Update: Belkin's statement is as follows:

Belkin has corrected the list of five potential vulnerabilities affecting the WeMo line of home automation solutions that was published in a CERT advisory on February 18. Belkin was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates. Users with the most recent firmware release (version 3949) are not at risk for malicious firmware attacks or remote control or monitoring of WeMo devices from unauthorized devices. Belkin urges such users to download the latest app from the App Store (version 1.4.1) or Google Play Store (version 1.2.1) and then upgrade the firmware version through the app. Specific fixes Belkin has issued include: 1) An update to the WeMo API server on November 5, 2013 that prevents an XML injection attack from gaining access to other WeMo devices. 2) An update to the WeMo firmware, published on January 24, 2014, that adds SSL encryption and validation to the WeMo firmware distribution feed, eliminates storage of the signing key on the device, and password protects the serial port interface to prevent a malicious firmware attack 3) An update to the WeMo app for both iOS (published on January 24, 2014) and Android (published on February 10, 2014) that contains the most recent firmware update

Davis, in turn wrote the following in an e-mail to Ars:

alright… if belkin has fixed this issue at all, its news to us, as we stated aside from an initial contact with brian knopf after we alerted USCERT we were never informed of mitigations or told a solution was in the works..

this is why we recommended disconnection of the devices rather then updating to the current firmware.. somewhat more worrisome is that they didn’t seem address the misuse of STUN/TURN proxy, or the really weak authentication system, or the broken entropy engine which is used to create the GUID needed to control the lightswitch through the proxy..

A Belkin spokeswoman responding to questions from Ars added the following: