Belkin WeMo Hack Hole Already Patched Smart Home Firm Says
Belkin had already patched the security loophole which could allow hackers to remotely take control of users' WeMo plugs and whatever was plugged into them, the company says, as long as users are up to date with their firmware and apps. The security vulnerabilities, identified by researchers at IOActive, could have been used to fool Belkin WeMo smart home gadgets – which include remote-control sockets, light switches, and motion-sensors – into installing unofficial software that could be exploited.
However, Belkin now says that it had already addressed the issue before it was made public yesterday, having already been in contact with the researchers prior to an advisory warning WeMo users to unplug their devices.
In fact, Belkin says, anybody with the most recent firmware release, version 3949, running on their WeMo device isn't at risk any longer. That can be installed through the iOS or Android apps, with Belkin suggesting updating to the latest version of those before making sure the firmware has been patched.
The original hack involved pushing out a fake firmware update via the unsecured RSS feed Belkin was using to notify WeMo clients that an upgrade was available, and then falsifying the credentials used to install it. As a result, Belkin has updated its WeMo API server – back in November 2013, in fact – to prevent any XML injections, and has added SSL encryption and validation to its firmware distribution.