Oops: Security Holes In Belkin Home Automation Gear 77
chicksdaddy writes "The Security Ledger reports that the security firm IOActive has discovered serious security holes in the WeMo home automation technology from Belkin. The vulnerabilities could allow remote attackers to use Belkin's WeMo devices to virtually vandalize connected homes, or as a stepping stone to other computers connected on a home network. IOActive researcher Mike Davis said on Tuesday that his research into Belkin's WeMo technology found the 'devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.' IOActive provided information on Davis's research to the US Computer Emergency Readiness Team (CERT), which issued an advisory on the WeMo issues on Tuesday. There has been no response yet from Belkin."
Holes in everyone's router! (Score:2)
Re: (Score:3)
Apparently to fix your Linksys, I hear all you need to do is disable: Remote Administration
IMHO, that's a feature that should have never been turned on by default to start with. When I bought my last router (a Linksys WRT54G) eight or nine years ago, you could only administer it over wired connections by default. You had to turn on the ability to use wireless devices to make changes.
Nowadays router makers seem to all allow wireless admin access by default, even when most people never bother to change the admin password. So all you need is to not secure your wifi (or have a compromised password) a
Re: (Score:2)
Predictable .... (Score:5, Interesting)
As soon as you start having something poking holes through your firewall to allow inbound traffic, this is pretty much a predictable outcome.
The internet of things, smart home monitoring, and thermostats you can adjust from the web ... all of these are things which are going to cause security problems, because most companies doing these kinds of things seem to completely ignore security, or when they try, still do a piss poor job.
I view the whole thing as a big "what did you expect?".
Re:Predictable .... (Score:4, Insightful)
Well your wifi network should not have any access to the internal network... period.
What the fuck? My girlfriend has a laptop. We both have phones. Those devices connect to our internal network via Wifi. We need to access the LAN over Wifi.
If you want a separate network for your home automation shit, then you've got to have some means of controlling it, so you're inevitably going to end up bridging the two networks at some point.
Re: (Score:2)
Re: (Score:2, Funny)
Which is why the best home security system is still the kind with four paws and a loud bark.
Re: (Score:2)
Which is why the best home security system is still the kind with four paws and a loud bark.
I dunno about that. Mine has two steel feet and a pair of vulcan cannons and I feel pretty secure.
Re: (Score:2)
If I may be perfectly sincere, a medium-large dog that barks when startled is generally all you need to protect your home. Most all dogs are incredibly vigilant, and no burglar w
Re: (Score:2)
People actually leave uPnP enabled on their routers?
Re: (Score:2)
The WeMo switch I have is connected to the guest network of my router.
So the rest of my network is secure I hope...
I say Tomato... (Score:4, Funny)
...you say Belkin,
let's watch your house get hacked.
Belkin Gear (Score:3)
...from Belkin
What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap. I realize I don't have a large sample size but I've seen other people make similar comments about their gear. Their stuff just always seems to have some sort of problem.
Re:Belkin Gear (Score:4, Interesting)
Maybe their hardware is crap because they're more about abusing their customers [slashdot.org] than providing quality products.
Re: (Score:2)
Re: (Score:2)
I used to like Netgear, but they're crap now. You say Belkin is too, OK, who then?
I've at least had mixed luck with Netgear stuff, mostly fine with a few duds. Same with Linksys, D-Link, Trendnet and some others. Apple gear I've used has been solid if pricey. But I have yet to have a bit of Belkin gear that didn't do something unexpected (in a bad way). Maybe some of their stuff is fine but I haven't come across it.
Re: (Score:3)
Try Buffalo; their routers come standard with DD-WRT. Or, look at the DD-WRT and OpenWRT device databases and pick a well-supported device to run one of those firmwares on.
Re: (Score:2)
I have one of their routers here at work (not my decision I can assure you). It works but its web config menu sucks and lacks many of the features you find in a decent router OS like m0n0wall or pfSense. But that is every crappy low end router. At home I run m0n0wall on an Alix board. That system is *ROCK SOLID* and I highly recommend it if you want a basic yet solid router for a connection of upward of 50 mbps or a bit more. If you want more speed for 100mbps+ then go with a Soekris NET6501 and pfSense.
*BU
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
would you like to recommend and aternative that works better in your experience?
Lately I've had the best luck with Trendnet and Apple. Dlink and Netgear are usually fine though I have run across a few bad pieces of gear. Linksys I've had mixed luck with and their stuff has gotten worse over time. My small office uses a Netgear 24 port switch, a few Trendnet gigabit switches and an Apple Airport Express for wireless. Haven't had any problems with any of it. We had a Netgear router (replaced by the Airport) which handled our wireless until it died for unexplained reasons.
Sample size
Re: (Score:1)
I remember when Belkin was mostly known for desk organizers and mouse pads. I wish they'd have stayed that way.
Re: (Score:2)
Don't forget horrifically overpriced cables.
Re: (Score:2)
I only have a data point of one, a gizmo to use the radio to capture iPod tunes and play them so I could hear them. Never worked right. I finally gave up resolved not to believe anything Belkin says about their stuff. With only one data point, that's not a good argument, but then I don't want to get burned again.
Re: (Score:2)
What is it with these guys? Every piece of gear of theirs I've tried over the years has been flaky or just plain crap.
Well, the problem is that all their gear is flaky or just plain crap.
They make pretty good cables. Everything else is junk.
Re: (Score:2)
They position themselves as a high end brand, priced appropriately. In fact they buy the cheapest shit they can get that week and package it up, usually with the same model number as last week so the drive download is actually a bundle of several different drivers.
I saw a documentary about this on TV last night (Score:5, Funny)
The hackers got into the home security system and caused it to mis-identify the homeowners as intruders. This caused the home security system to activate its laser targeted rifle and shoot (to kill) one of the homeowners.
Ooops .. sorry .. that was last nights episode of Almost Human [fox.com]
(and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)
Re: (Score:2)
It may be sad for Sy-Fy, but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.
Re: (Score:1)
but I'm personally glad to see that decent sc-fi is actually being made and that people don't just keep not understanding the audience.
When it comes down to it Almost Human is your basic cop/detective show. However the writers have done a pretty good job of weaving in the future implications of technology as plot points.
As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.
Re: (Score:1)
As an aside IMHO that article the other day asking about where is decent SciFi nowadays seemed to miss the point that for a good show character interactions and growth are what makes it good and that technology by itself is merely a prop.
In MY humble opinion, character interactions and growth makes a good space opera (SyFy), not SciFi.
Re: (Score:2)
Nope, crashing and booming and action makes good space opera (Star Wars was space opera not sci-fi).
Exploring how technology affects our lives and what we do with it, that's sci-fi.
Re: (Score:2)
You and the person you're replying to are both right.
There's a fair amount of scifi that merely ladles on a bunch of melodrama in the hope that someone will think of it as "character development" when in fact it often just serves as filler and often displaces action and technology.
"Walking Dead" went down this road IMHO in Season 2 on the Farm. So much of that season was personal and social angst in a rural agricultural setting with the occasional appearance of a zombie. Everything else kind of went by
Re: (Score:2)
how did home automation roll into programming on FOX???
Seriously, at least try to understand the message you are responding to before making a mindless Buck Feta rant.
Let me 'splain it to you Loozy. There's this new cop show on TV, only one of the cops is an android. [wikipedia.org] And it's set like 35 years in the future, [wikipedia.org] so all the cool stuff of 2014 (like quadcopters) [wikipedia.org] is everyday stuff. And people do bad stuff with the cool stuff, so the human cop and the robot cop have to sort it all out. And in yesterday's episode (oh yeah, ON FOX), someone hacked into a home automation
Re: (Score:2)
I think its pretty sad when the moderators cant keep this thread on topic..
Who are these "moderators" that you speak of? And what is the topic they should be keeping the thread on?
Re: (Score:2)
You beat me to it.
still the south park one was very funny
http://www.southparkstudios.co... [southparkstudios.com]
Re: (Score:2)
What else do you expect from something that sounds like a pet-name for venereal disease?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Bastard. Where was the spoilers warning. I haven't watched that episode yet.
Considering that that was the opening sequence of the show I hardly consider that it needed a spoiler alert. Now you may want to shut your eyes before you read about who actually did the hacking .. :D
Re: (Score:2)
(and its pretty sad when Fox has better Scif-Fi on than the Sy-Fy channel)
Expect the show to be cancelled early. This is typical of Fox: they cancelled Firefly after 14 episodes, and Terra Nova after 1 season (with a cliffhanger).
Re: (Score:2)
Also, FOX put Almost Human messed up the episode order like Firefly. :(
Intentional backdoors? (Score:2)
Remember when this company did this [slashdot.org] to their routers?
Surprised? (Score:2, Interesting)
MOAR IETF! (Score:2)
IETF made everything possible, but has unfortunately been somewhat abandoned, or at least isn't functioning as a mooring-of-sanity as it used to. In some ways, this is inevitable, since the e-world is big enough that even a small company can do its own thing, and still succeed big.
This matters for IoT, since most cloud-enabled IoT devices do totally random things: poke through firewalls with UPNP, shove your private data into some random website, potentially over insecure protocols. (Or protocols that cou
Re: (Score:2)
IETF should be thinking along the lines of a *local* data hub that you own,
You give to IETF more power than they actually have. They document standards. They don't police them. They can't kick someone who violates them off the net. We have a long history of companies who ignore the standards because they want to either "enhance the user experience" or control it ...
You don't want your fire alarm dependent on random external sites, or your internet-enabled door locks, or your thermostat, etc.
Most people who buy this kind of stuff want it to "just work". That means they don't care if it uses some cloud services, they want to buy it, plug it in, and have it do something productive. Making it cost more by re
Black Friday sales (Score:3)
That explains all the Black Friday sales on this product. Get them sold before the vulnerability is public. I'm betting they knew about this.
Writes itself (Score:2)
Additionally, our mothers are rather large.
Already Patched (Score:3)
Latest firmware contained security fixes.
Re: (Score:2)
Re: (Score:2)
software faults, real world consquences (Score:2)
Any automated control should have a local override to disconnected it from the control loop. This is normal practice in process plants. That way when a hacker takes over your thermostat, you put it in override until the access problem is fixed.
Second, fires by software should not be possible. Protections should be baked into the hardware for home control things that can have e consequences to people.
The hidden danger of the IoT... (Score:4, Interesting)
Here's an example... Walk around your house and figure out the age of all of your appliances. You probably have a few items (e.g. refrigerator) that are pushing 20 years old??? Now, imagine you buy a few shiny new IoT appliances & they're all connected to the Internet--15+ years from now. Seriously, this is a disaster waiting to happen & a hacker's wet dream... Imagine what support will exist 15 years from now for current versions of Android 4.x, Linux 3.x, Apache, PHP, MySQL, etc. Or better yet, what 1999-era software still receives even security patches or bug fixes? (Win9x--nope. Linux 2.2--nope. IIS4--nope. W2K--nope. SQL Server 7--nope... You get my point...)
Ultimately, with the IoT, we're trusting that companies will be willing to support their products, including OS kernel patching on FOSS platforms that were long-abandoned by their progenitors, 25-odd years??? Dream on... I don't intend to replace my fridge or washer in a few years because it got "bricked" because of a security hole the manufacturer chose to ignore...
Belkin's problems are only the beginning...
temporary fix (Score:3, Interesting)
Re: (Score:2)
...all I see blocked is the constant requests to "184.73.174.14:3478".
Interesting. That's an address in the Amazon cloud. It accepts telnet connections but gives nothing back that I can see.
It may be something like the attempted external connections I found from an internet power switch. Why would an internet power switch be trying to connect to a site in China? The vendor claims it was their aborted attempt at a dynamic DNS service so you could control the switch from the world. I dunno, but I blocked it anyway.
At the same time I found this traffic, I also found that a r
Please tell me I'm dreaming! (Score:2)
"security" (Score:2)
Note to self (Score:2)
Self,
Disconnect chainsaw from home network.
Stupid architecture (Score:2)
'The cloud' should not have any access to these devices AT ALL. At most, a hole in the firewall should allow external connections to a server running on the LAN that can then talk to the devices (and that should be entirely optional). They should never even try to phone home for any reason. It's nobody's business but mine which lights are turned on.
That is especially true since according to TFA, Belkin leaked the keys to the kingdom.
Belkin says "solved" http://www.belkin.com/us/supp (Score:1)