Uncovering Security Vulnerabilities in the Belkin WeMo Home Automation Ecosystem

Haoyu Liu, Tom Spink, Paul Patras

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract / Description of output

The popularity of smart home devices is growing as consumers begin to recognize their potential to improve the quality of domestic life. At the same time, serious vulnerabilities have been revealed over recent years, which threaten user privacy and can cause financial losses. The lack of appropriate security protections in these devices is thus of increasing concern for the Internet of Things (IoT) industry, yet manufacturers’ ongoing efforts remain superficial. Hence, users continue to be exposed to serious weaknesses. In this paper, we demonstrate that this is also the case of home automation applications, as we uncover a set of previously undocumented security issues in the Belkin WeMo ecosystems. In particular, we first reverse engineer both the mobile app that enables users to control smart appliances and the communication logic implemented by WeMo devices. This enables us to compromise the passphrase guarding the communication over the local wireless network, opening the possibility of eavesdropping on user traffic. We further reveal how an attacker can present a fake device to a WeMo user, through which cross-site scripting can be exploited in order to mislead the user into disclosing private information. Lastly, we provide a set of security guidelines that can be followed to remedy the vulnerabilities identified.
Original languageEnglish
Title of host publicationProceedings of the Third International Workshop on Security, Privacy, and Trust in the Internet-of-Things
Place of PublicationKyoto, Japan
PublisherInstitute of Electrical and Electronics Engineers
Pages894-899
Number of pages6
ISBN (Electronic)978-1-5386-9151-9, 978-1-5386-9150-2
ISBN (Print)978-1-5386-9152-6
DOIs
Publication statusPublished - 6 Jun 2019
EventThird International Workshop on Security, Privacy and Trust in the Internet of Things - Kyoto, Japan
Duration: 11 Mar 201915 Mar 2019
https://sites.google.com/view/spt-iot/home

Conference

ConferenceThird International Workshop on Security, Privacy and Trust in the Internet of Things
Abbreviated titleSPT-IoT 2019
Country/TerritoryJapan
CityKyoto
Period11/03/1915/03/19
Internet address

Fingerprint

Dive into the research topics of 'Uncovering Security Vulnerabilities in the Belkin WeMo Home Automation Ecosystem'. Together they form a unique fingerprint.

Cite this