Belkin WeMo

Video: Weaponizing Your Coffee Pot

The third annual DerbyCon wrapped up last week. Alas, I wasn’t able to make it down to Louisville, Kentucky and don a pork-pie hat with the smart people there.

Belkin WeMo
Belkin’s WeMo home automation products often lacked basic security features, like authentication when connecting to devices or pushing firmware updates.

Still, there were some great presentations, and most of them are available online. One worth checking out if you’re into the Internet of Things hacking -thing is Daniel Buentello’s (@danielbuentell0) presentation of “Weaponizing Your Coffee Pot.” This is a repeat performance for Daniel, who also presented it at the ToorCon Conference in Seattle back in July.

Derbycon Logo

The first half of this talk is a high level overview of IoT and the security implications thereof. Mostly this is stuff you’ve read on this blog before. In the second half, Daniel goes down into the weeds on hacking a couple of classic IoT devices: Belkin’s WeMo IP enabled power outlet and Nest’s iconic thermostat.

Without getting into all the details (its worth watching if you’ve toyed with breaking into a smart object). The interesting stuff is looking at Daniel’s methodology for reverse engineering the software that runs these commercial developments. A couple points:

  •  Insecure by default: device makers have done little or nothing to secure communications to or from their devices. Buentello notes that the Belkin WeMo home automation product allows unauthenticated access to its devices – including unauthenticated firmware updates – that could easily be exploited to allow a remote or local attacker to send malicious commands to the device that control its behavior.
  • Common platforms, uncommon capabilities: because so many IoT devices run on Linux, there’s lots of information in the public domain about the inner workings of commercial IoT devices. In the case of Belkin’s WeMo, for example, Buentello was able to troll developer websites to figure out how to circumvent the CRC (cyclic redundancy check) that the WeMo used to detect unauthorized changes to the device’s firmware.
  • Security through obscurity: Buentello observes that even high profile IoT devices like NEST contain dormant or hidden features. Specifically: NEST has an embedded Zigbee wireless interface that isn’t used for anything and is, essentially, a poorly kept and undocumented secret. The company has repeatedly refused to discuss its use, but Buentello suggested that the device itself is subject to compromise.

 

“Take things apart!” Buentello urged DerbyCon participants.

Check out the video below, and visit the DerbyCon site to learn more!