Belkin WeMo smart home networks in danger of hacks

Belkin WeMo switches can be controlled with a smartphone from anywhere in the world.

(Credit: Jason Cipriani/CNET)

Smart home networks are rapidly gaining popularity, but some security experts worry that not enough encryption controls are coming with the products.
Security firm IOActive released an advisory (PDF) on Tuesday saying more than half a million Belkin WeMo devices are susceptible to widespread hacks. The firm uncovered several vulnerabilities in these devices, which would let hackers gain access to home networks and remotely control Internet-connected appliances.
The hacks could range from a mean-spirited prank to actually posing a danger. For example, they could be as benign as turning someone's house lights on-and-off to something dangerous like getting a fire started.
Many of Belkin's WeMo home automation products let users build their own smart home solutions by adding Internet connectivity to any device -- like sprinkler systems, thermostats, and antennas. Once connected, users can control their appliances with a smartphone from anywhere in the world.
However, hackers could also get into these networks, warns IOActive. The vulnerabilities found by the firm would let hackers remotely control and monitor home networks, along with perform malicious firmware updates and gain access to other devices, like laptops and smartphones.
According to IOActive, the vulnerabilities would let hackers impersonate Belkin's encryption keys and cloud services to "push malicious firmware updates and capture credentials at the same time."

As long as Belkin doesn't patch these vulnerabilities, IOActive recommends that users refrain from using the WeMo devices. The firm has worked with the US government's Community Emergency Response Team (CERT) on these recommendations and CERT issued its own advisory on Tuesday. "As we connect our homes to the Internet, it is increasingly important for Internet-of-Things device vendors to ensure that reasonable security methodologies are adopted early in product development cycles," IOActive's principal research scientist Mike Davis said in a statement. "This mitigates their customer's exposure and reduces risk. Another concern is that the WeMo devices use motion sensors, which can be used by an attacker to remotely monitor occupancy within the home."