14 DAY TRIAL // On Tuesday, IOActive published an advisory to warn users of Belkin WeMo Home Automation devices of vulnerabilities that could be exploited to hijack the gadgets for malicious purposes. However, Belkin says the vulnerabilities highlighted by IOActive have already been addressed.
IOActive said it had notified Belkin of the flaws via CERT, but claimed the company was unresponsive. However, in a statement provided to SecurityWeek on Tuesday evening, Belkin revealed that the security holes were addressed with various updates made in the previous months.
The company is blaming “a miscommunication between various parties.”
According to Belkin, the XML injection vulnerability in the WeMo API server was fixed on November 5, 2013. Later, on January 24, 2014, a firmware update was rolled out to add SSL encryption and validation, eliminate the storage of signing keys on the device, and set password protection on the serial port interface.
The iOS and Android apps were updated on January 24 and February 10, respectively. The latest versions of the mobile applications can be used to upgrade the firmware of vulnerable devices.
This might be a case of miscommunication, but as SecurityWeek highlights, if the vulnerabilities are truly addressed, Belkin has done a poor job informing users about the fixes.