back to article Nasty holes found in Belkin's home automation kit

Insecure firmware handling, poor communications practises and API vulnerabilities are among a range of vulnerabilities security company IOActive has identified in Belkin's WeMo home automation systems. In its advisory, here, IOActive says it's discovered that the systems leak a hard-coded key and password that Belkin uses to …

COMMENTS

This topic is closed for new posts.
  1. LarsG

    Anyone actually got a Belkin home automation kit?

    If so, why?

    1. Ole Juul

      I can imagine that if insurance companies find out about the dangers of these things, they'll be asking the same question.

      1. Anonymous Coward
        Anonymous Coward

        What dangers exactly?

        Considering WeMo only really seems to offer the ability to turn a standard 3 pin plug socket on and off, exactly what are the dangers?

        So a hacker may be able to turn a WeMo users table lamp on or off...... or maybe a fan. I'm not really seeing the danger there yet? I'm obviously missing something?

    2. Gordon Pryra

      Yeah, millions.

      Why? because people trust places like PC world to be more than box shifters selling overpriced outdated crap purly on a "most profit per cm"

      It still pisses me off that people have been working with IT kit for around 15-20 years, but still use the arguement that its all "too complicated" and dont spend any time helping themselves by finding out what it is they are actually buying.

      A second point about the post it self, this is one of the main reasons the "3 strikes and your out" ISP/Record industry thing would fail if anyone ever went to court over this.

      Proove that the person being accused of illegal downloads is doing the download, not someone sitting in their car outside. You cant because the kit being used is still so shit.

      1. The BigYin

        "It still pisses me off that people have been working with IT kit for around 15-20 years, but still use the arguement that its all 'too complicated' and dont spend any time helping themselves by finding out what it is they are actually buying."

        That doesn't piss me off at all. What pisses me off is the push by clueless marketeers that it should be easy. My boiler is 'too complicated' and beyond setting the temperature/timer I don't touch the bloody thing. I hire someone who knows what they are doing.

        Why are people so averse to hiring someone to come in and sort out their router or what-have-you?

        *I* am quite happy to arse about with my routers, but it is certainly way, way, WAY too complicated for the average user. Just as my boiler is way, way, WAY too complicated for me.

        We can't all be experts in everything y'know.

      2. Stevie
        Trollface

        It still pisses me off that ...

        ... people have been driving cars for over a hundred years but most still can't tighten a squealing fan belt or set their car's valve timing.

        Tch!

  2. The BigYin

    Liability?

    "the systems leak a hard-coded key and password that Belkin uses to sign firmware."

    So let's say that someone gets robbed because of this.

    Would their insurance pay-out, or refuse because they had equipment that was known to be insecure?

    Is Belkin in anyway liable for consequential loss?

    1. Fred Flintstone Gold badge

      Re: Liability?

      Is Belkin in anyway liable for consequential loss?

      I suspect there will be the usual barrage of 6 point size light grey-on-white disclaimers on the paperwork that comes with the kit. Only the market can act as a correcting force: if enough people care, it will no longer sell.

      1. Tom 13

        Re: the usual barrage of 6 point size light grey-on-white disclaimers

        And those aren't worth the paper they are printed on no matter what the lawyers hired by the company printing them tell you. At least in the case of home automation.

        I worked for one such company back in the dark ages when 386 processors were new. They originally planned to integrate home security into their automation system. That was dropped when they found out that as soon as they included it they were fully liable if the bad guys used the remote access system to allow entrance to the domicile. They planned a "romantic" house mode that was supposed to bring on the lights dim, set the music playing, and turn on the gas fireplace all at the press of a button. Right up until the safety engineers said the light dimmers need to fail safe in the event of power loss and that meant all lights came on at full brightness and dimmed down.

        You can swindle someone out of a couple hundred bucks on an OS that runs their business and it turns out to not be fit for purposes, but people's safety is a whole other kettle of fish.

    2. Ole Juul

      Re: Liability?

      Fire insurance too. If crazies can get the ability to turn on all your electrical equipment and crank the furnace while you're on vacation, then there is a problem. One that insurance companies could take note of.

  3. Tom 38

    Don't buy security from box shifters

    Belkin (+many others) only care about selling little boxes, so the software will be poor quality and just good enough to ship.

    Something like this deserves an open source solution, where a bunch of nut jobs¹ who obsesses about home automation and security has spent thousands of hours perfecting the stack.

    ¹ I use it affectionately, I'm also a nut job, just not about home automation..

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't buy security from box shifters

      > Don't buy security from box shifters ... deserves an open source solution

      Really? Not everyone is a neckbeard with no social life. Some people just want to get on with things. Should people avoid ready made cars an build their own? Don't buy a house, build your own? Don't buy a sandwich, grow your own wheat, make your own bread, rear your own pig, make your own ham?

      "nut jobs" is right if you think the average person has the time or the inclination to subscribe to the same prejudices and delusional world-view as you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Don't buy security from box shifters

        ""nut jobs" is right if you think the average person has the time or the inclination to subscribe to the same prejudices and delusional world-view as you"

        Quite amusing that your post accuses someone else of prejudice yet you use the term 'Not everyone is a neckbeard with no social life'

      2. Tom 38

        Re: Don't buy security from box shifters

        Way to miss the point AC. I didn't say people needed to write the damn thing themselves, just that that should be the source of the software. Many easy to use mass market consumer electronics have at their base open source software, the people using them do not know or care (as evidenced by your delightful musings).

        1. Anonymous Coward
          Anonymous Coward

          Re: Don't buy security from box shifters

          "Many easy to use mass market consumer electronics have at their base open source software"

          For some core utilities, maybe. But they all have professionally written interfaces placed on top so that normal people can actually use them.

          1. Adrian 4

            Re: Don't buy security from box shifters

            What makes you think open source software isn't professionally written ?

            The stuff I've encountered is far better written than many commercial products. Possibly because the authors care about more than the next pay check.

            1. DropBear

              Re: Don't buy security from box shifters

              Quite possibly so, but it's also equally likely to only run in a console. Because Real Men - sorry, Professionals - Don't Need No Stinkin' GUIs (while mere mortals would generally prefer to keep not knowing what a VT100 is).

  4. DropBear

    I can see the future...

    "...McToffee, the leading supplier of antivirus software for outlets, switches and lightbulbs!" This is a brave new world indeed.

    1. Fatman
      Joke

      Re: I can see the future...

      "...McToffee, the leading supplier of antivirus software for outlets, switches and lightbulbs!"

      I can picture it now, you come home one evening to turn on the light, only to have it still remain off. The control panel is flashing: "software update in progress, please wait". The dammed bulb needs an AV signature update.

  5. Robert Helpmann??
    Childcatcher

    SciFi Now

    This week's episode of Almost Human (Disrupt) was about a home automation and security system that got hacked in order to kill several people. The manufacturers of the kit protested that they used the same safeguards as the Pentagon. Sounds about right. Growing pains are to be expected with any new technology. Too, there will be unintended consequences and abuses of the same. The problem that I have with it all is that it is predictable enough that a bunch of TV writers, a group that routinely gets tech issues dead wrong, can figure it out and it is still going to happen.

    1. Fred Flintstone Gold badge
      Black Helicopters

      Re: SciFi Now

      The manufacturers of the kit protested that they used the same safeguards as the Pentagon

      As long as they're not the same safeguards as the NSA.. :p

  6. Anonymous Coward
    Anonymous Coward

    but there's more

    Belkin now owns Linksys and their line of exploitable routers, misery loves company

  7. Andrew Denton 1

    Belkin kit in "a bit shit" shocker.

  8. PeterM42
    Thumb Down

    It's BELKIN kit

    So what did you expect?

  9. Anonymous Coward
    Anonymous Coward

    I've got one of the power switches

    I use it to be able to power cycle my office computer when I am away and it hangs... It works but the software is absolute shite. I'm not at all surprised it is full of security holes, in fact I'm more surprised that anyone would think a cheap consumer product like this would be secure.

This topic is closed for new posts.

Other stories you might like