Password leak in WeMo devices makes home appliances susceptible to hijacks (updated)

Belkin

Update: Seven hours after this article was published, Belkin representatives issued a statement saying most of the vulnerabilities IOActive reported had been patched in January, in version 3949 of of the WeMo firmware. The statement also said Belkin employees had been in contact with researchers about the vulnerabilities prior to Tuesday's report.

IOActive researcher Mike Davis said the extent of his communication with Belkin was a single phone call with an employee. Davis said he was never informed of any patches being issued for the WeMo firmware. The US-CERT advisory similarly stated there were no known fixes for the vulnerabilities. Below is the story as originally reported, followed by Belkin's statement, Davis's reply, and a representative's response to questions.

Security researchers have taken the unusual step of recommending that people stop using Belkin's WeMo home automation products after uncovering a variety of vulnerabilities that attackers can exploit to take control of home networks, thermostats, or other connected devices.

Read 12 remaining paragraphs | Comments