The Internet communication infrastructure used to communicate Belkin We Mo devices is based on an abused protocol that was designed for use by Voice over Internet Protocol (Vo IP) services to bypass firewall or NAT restrictions.It does this in a way that compromises all We Mo devices security by creating a virtual We Mo darknet where all We Mo devices can be connected to directly; and, with some limited guessing of a ‘secret number’, controlled even without the firmware update attack.Last week, the SANS Internet Storm Center began publishing data about an ongoing attack from self-propagating malware that infects some home and small-office wireless routers from Linksys.
So be forewarned: Belkin’s We Mo products may allow you to control your home electronics from afar, but you may not be the only one in control of them. ET: Belkin has responded with a statement saying that it was in contact with the security researchers prior to the publication of the advisory, and, as of February 18, had already issued fixes for each of the noted potential vulnerabilities via in-app notifications and updates.
This allows attackers to use the same signing key and password to sign their own malicious firmware and bypass security checks during the firmware update process.
Additionally, Belkin We Mo devices do not validate Secure Socket Layer (SSL) certificates preventing them from validating communications with Belkin’s cloud service including the firmware update RSS feed.
From IOActive’s advisory (PDF): The Belkin We Mo firmware images that are used to update the devices are signed with public key encryption to protect against unauthorised modifications.
However, the signing key and password are leaked on the firmware that is already installed on the devices.
More details on this vulnerability are available at this Security Focus writeup.