Security researches from IOActive have identified a number of vulnerabilities in Belkin WeMo home automation devices that allow people to control their electronics from their mobile phones. More than half a million users are said to be impacted.
According to experts, the vulnerabilities can be exploited not only to perform malicious firmware updates, but also to remotely monitor and hijack the devices. Furthermore, the security holes can be leveraged to gain access to local networks.
Once they have access to the local network, the attackers can target laptops, mobile phones and other devices.
“As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles,” said Mike Davis, IOActive’s principal research scientist and the one who discovered the vulnerabilities.
“This mitigates their customer’s exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home.”
On one hand, cybercriminals could exploit the bugs to waste electricity. However, in a worst case scenario, hackers could even start home fires.
A number of security holes are described in IOActive’s advisory. For instance, hackers can upload unauthorized firmware because the signing key can be easily obtained.
Moreover, Belkin hasn’t ensured that SSL certificates are validated, which means that cybercriminals can use any certificate to capture credentials and push malicious firmware updates.
However, experts warn that an attacker doesn’t even need to alter the firmware in order to hijack the gadgets. That’s because they rely on a virtual darknet that enables users to connect to them directly. If the attacker can guess a “secret number,” he can take control of the system.
Finally, another way to compromise Belking’s home automation products is by exploiting an XML inclusion vulnerability in the server API.
IOActive says the vulnerabilities have been reported to CERT, which in turn has notified Belkin. However, the company “was unresponsive.”