Microsoft Subnet An independent Microsoft community View more

Eavesdropping made easy: Remote spying with WeMo Baby and an iPhone

A security researcher is fed up with insecure designs and takes Belkin to task for flaws in WeMo Switch, Wi-Fi NetCam and WeMo Baby.

When it comes to home automation, many people turn to Belkin WeMo because you can plug almost anything into the "smart" electrical switch and then remotely control it from a smartphone. As more people dive into the Internet of Things (IoT), "easy" and hackable home automation with connected devices controlled by mobile phones, security researcher Nitesh Dhanjani presents, "Reconsidering the Perimeter Security Argument" [pdf]. He highlights flaws in Belkin's WeMo Switch, Wi-Fi NetCam and WeMo Baby. He demonstrates a "glaring design issue" in WeMo Baby that allows "anyone with one-time access to the local Wi-Fi where the monitor is installed" to later "listen in without authentication" and to "continue to listen in remotely."

The Organization for Economic Co-operation and Development estimates, "By 2022, the average household with two teenage children will own roughly 50 Internet-connected devices, up from approximately 10 today." Although estimates vary, the International Data Corporation expects "the installed base of the Internet of Things will be approximately 212 billion 'things' globally by the end of 2020. This will include 30.1 billion installed 'connected (autonomous) things' in 2020."

Yet despite the positive aspects that home automation can bring us, Dhanjani states:

IoT device manufacturers should lay the foundation for a strong security architecture that is usable as well as not easily susceptible to other devices on the network. In these times, a compromised device on a home network can lead to the loss of financial information and personal information. If IoT device vendors continue their approach of depending on the local home network and all other device being completely secure, we will live in a world where a compromised device can result in gross remote violation of privacy and physical security of its customers.

WeMo Baby

Regarding the Belkin WeMo Baby, Dhanjani quoted an Amazon review by Lon Seidman:

...But that's not the only issue plaguing this device. The other is a very poor security model that leaves the WeMo open to unwelcome monitoring. The WeMo allows any iOS device on your network to connect to it and listen in without a password. If that's not bad enough, when an iPhone has connected once on the local network it can later tune into the monitor from anywhere in the world.

Belkin WeMo Baby and smartphone app

Dhanjani then demonstrated that flaw in a video. His proof-of-concept attack "turns a wireless baby monitor made by Belkin into a stealthy bugging device that can be accessed by someone in your front yard...or halfway around the world," reported Ars Technica.

Belkin Wi-Fi NetCam

While it's not the baby monitor cam hack that allowed a creep to spy on a toddler in her crib, Dhanjani also pointed out [pdf] that the Belkin Wi-Fi NetCam "lets users remotely view video from the camera." The "NetCam password can be captured by local Wi-Fi users and by the internet service provider to obtain full blown remote access to the camera," he wrote. "Once the attacker or botnet herder has collected the credentials," then "he or she can spy on the victim using the Netcam app."

WeMo Switch

Before presenting "Weaponizing your coffee pot" at DerbyCon, Daniel Buentello plugged a lamp into a Wemo Switch and made the relay click off and on so fast that it appeared as if the lamp might explode. Dhanjani also took issue with the WeMo Switch in his paper [pdf], "Similar to the situation in WeMo Baby, malware on the local network can easily turn devices on the WeMo Switch on or off by directly invoking a POST request."

After pointing users toward Issac Kelly's GitHub code for an example, Dhanjani wrote, "Also similar to WeMo Baby, the malware script can obtain remote access and ship the authorized token to an attacker remotely. In this scenario a potential botnet herder can easily gain remote access to multiple WeMo switches in homes where his or her malware has been deployed."

Dhanjani concluded, "As seen by the detailed illustrations in the above examples, we cannot secure our future by asserting that IoT devices and supporting applications have no responsibility to protecting the user's privacy and security beyond requiring the user to setup a strong Wi-Fi password."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.