UPDATED 6:40 pm ET June 3 with comment from Belkin.
Smart-home tech very often seems like a solution in search of a problem, but the problem it finds again and again is a lack of comprehensive security. The popular Belkin WeMo Insight Switch, which can act as a power switch for a variety of household devices, encrypts Wi-Fi passwords but provides more than enough plain-text data to let a talented hacker reverse engineer the protection.
HOTforSecurity, the blog run by Bucharest, Romania-based security firm Bitdefender, gave a rundown of the WeMo Switch's well-hidden vulnerability. Users must connect a WeMo Switch to their home Wi-Fi networks in order for it to work, and it then transmits data up to Belkin's servers, which then sends it down to a smartphone app.
If a user accesses the WeMo Switch from an open Wi-Fi network elsewhere, the a truly dedicated hacker could sniff out the information. It’s not easy, but it's plausible.
We've reached out to Belkin for comment and will update this story when we receive a reply.
The Wi-Fi password is encrypted with a symmetric 128-bit key, which theoretically makes it difficult to crack. However, the WeMo Switch transmits just about everything else in plain text, including the WeMo switch's MAC address and device ID.
As the encryption is based on a combination of these two things, a skilled hacker could reverse-engineer the decryption, as Bitdefender's researchers did. This is by no means a simple procedure, but it can be done, and if an intelligent security researcher could figure it out, it's likely that an intelligent cybercriminal could as well.
The WeMo Switch is hardly alone in possessing security flaws. Radu Basaraba, a researcher at Bitdefender, said that smart-home manufacturers are often well aware of products' security limitations, but would rather get them to market than fix them.
"The authentication and traffic encryption flaws that often afflict [smart home] systems are known in the security industry but, despite this, mitigation is often neglected," he said. "Although lack of authentication seems like a minor mistake, it ultimately leads to jeopardizing users' confidence in vendors and the [smart home] landscape itself."
In the meantime, Bitdefender did not recommend any particular course of action to mitigate the flaw. You could disable your WeMo Switch, although that might not be ideal if you rely on it for household convenience. WeMo has had trouble with its security before and provided timely updates, so it may take the same course of action here.
Furthermore, there's no evidence that attackers have actually used this exploit in the wild. For now, sit tight, but be wary of any suspicious activity on your Wi-Fi network.
UPDATE: Belkin issued a detailed statement regarding Bitdefender's report.
"The Bitdefender research only points to an initial vulnerability upon set-up when the WeMo device is first making connection with a users' home network," the statement said.
"The encrypted Wi-Fi password is never transmitted to the WeMo Cloud and sniffing it requires the hacker to be physically present within Wi-Fi range at the time of setup. This issue does not affect any WeMo device that is already configured or any data transmitted to the WeMo Cloud. Wi-Fi credentials cannot be obtained from Wemo devices in normal use — such as when someone accesses their WeMo Switch to turn off a lamp while at the airport, for example — and devices in normal use cannot be compromised either. It is strictly an issue during set-up and even then only at the exact moment the moment that the Wi-Fi password is transmitted.
"This vulnerability can only be exploited if a hacker is within Wi-Fi range of the WeMo device and sniffing the specific channel at the EXACT moment during set-up that the user is giving the device Wi-Fi credentials. Once the device is set-up, it cannot be accessed at all."
"This is a common set-up scenario, used by many other Wi-Fi, Bluetooth or other connected devices, so this issue is not singular to WeMo. The likelihood of any user being affected by this vulnerability is extremely rare and we don’t believe it poses a significant risk to WeMo users. That said, we are constantly reevaluating our security measures and won’t hesitate to make changes if the risk becomes more significant."