Many consumers are hesitant to invest in smart home technology for fear that their thermostats or lights might be hacked. As it turns out, their concern may have been justified: Security researchers recently uncovered several critical security flaws in Belkin's WeMo line of smart home devices that could have thrown homes into chaos.
IOActive, a Seattle-based security firm, announced the discovery yesterday (Feb. 18). According to a statement from IOActive, software flaws in WeMo devices could have allowed attackers to control the devices remotely, install their own malicious firmware, monitor conditions in a target's home or even access a target's computer network.
WeMo devices include light switches, motion detectors and security cameras. At CES 2014, Belkin revealed that smart cookware, lightbulbs and even a DIY kit to smarten any low-voltage device would soon join its lineup. It doesn't take an overactive imagination to see how a malicious hacker could have a field day with these common appliances.
The vulnerability was in WeMo's firmware update process, which is entirely dependent on the smartphone apps that connect to WeMo devices. To Belkin's credit, each new firmware update is encrypted. However, the encryption key for each new update was already present in the system's existing firmware. In effect, this gave hackers the ability to compromise any new firmware even before its release.
Belkin was also rather lax with its secure socket layer (SSL) Web-connection security protocols. When a WeMo device conferred with Belkin's central servers, Belkin did not properly validate its SSL certificates. This allowed anyone with an SSL certificate (an easy-to-acquire security protocol) to push phony firmware updates on unsuspecting users.
If you use any WeMo devices, you may not want to unplug them and live out the rest of your days as a sylvan hermit just yet. Belkin was quick to respond to IOActive's findings and announced late yesterday that it had already repaired the discovered vulnerabilities with firmware updates.
To make sure your devices are protected, open up the iOS App Store or the Google Play store, and ensure that your WeMo app is up-to-date and that the app will transmit the latest firmware to the devices.
Although the WeMo product line is safe for now, the issue is indicative of one of the worst-kept secrets about smart home tech: For the most part, smart-home security protocols are laughable. ZigBee and Z-Wave, the two most common smart home protocols, were compromised months ago, but few companies have demonstrated interest in fixing these issues.
Without secure smart-home protocols, manufacturers will be dependent on traditional Wi-Fi architecture. Standard computer programs and mobile apps are only as secure as their programmers make them, and there is no such thing as an unhackable program — as WeMo demonstrated.
Most unsecure apps can reveal a user's email address or, at worst, credit card number. Although it's admittedly a very extreme case, an unsecure smart-home app could start a house fire. Expect smart-home security to evolve significantly over the next few years.