Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem

Haoyu Liu; Tom Spink; Paul Patras

doi:10.1109/PERCOMW.2019.8730685

Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem

Haoyu Liu, Tom Spink, Paul Patras

School of Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

The popularity of smart home devices is growing as consumers begin to recognize their potential to improve the quality of domestic life. At the same time, serious vulnerabilities have been revealed over recent years, which threaten user privacy and can cause financial losses. The lack of appropriate security protections in these devices is thus of increasing concern for the Internet of Things (IoT) industry, yet manufacturers’ ongoing efforts remain superficial. Hence, users continue to be exposed to serious weaknesses. In this paper, we demonstrate that this is also the case of home automation applications, as we uncover a set of previously undocumented security issues in the Belkin WeMo ecosystems. In particular, we first reverse engineer both the mobile app that enables users to control smart appliances and the communication logic implemented by WeMo devices. This enables us to compromise the passphrase guarding the communication over the local wireless network, opening the possibility of eavesdropping on user traffic. We further reveal how an attacker can present a fake device to a WeMo user, through which cross-site scripting can be exploited in order to mislead the user into disclosing private information. Lastly, we provide a set of security guidelines that can be followed to remedy the vulnerabilities identified.

Original language	English
Title of host publication	2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops
Publisher	Institute of Electrical and Electronics Engineers (IEEE)
Pages	894-899
Number of pages	6
ISBN (Electronic)	9781538691519
ISBN (Print)	9781538691526
DOIs	https://doi.org/10.1109/PERCOMW.2019.8730685
Publication status	Published - 6 Jun 2019
Event	SPT-IoT'19 - The Third Workshop on Security, Privacy and Trust in the Internet of Things - Kyoto, Japan Duration: 11 Mar 2019 → 15 Mar 2019 Conference number: 3 http://percom.uta.edu/Previous/ST2019/index.html

Workshop

Workshop	SPT-IoT'19 - The Third Workshop on Security, Privacy and Trust in the Internet of Things
Abbreviated title	SPT-IoT'19
Country/Territory	Japan
City	Kyoto
Period	11/03/19 → 15/03/19
Internet address	http://percom.uta.edu/Previous/ST2019/index.html

Access to Document

10.1109/PERCOMW.2019.8730685

Liu_2019_Uncovering_security_vulnerabilities_AAM
Copyright © 2019 IEEE. This work has been made available online in accordance with publisher policies or with permission. Permission for further reuse of this content should be sought from the publisher or the rights holder. This is the author created accepted manuscript following peer review and may differ slightly from the final published version. The final published version of this work is available at https://doi.org/10.1109/PERCOMW.2019.8730685.
Accepted author manuscript, 474 KB

Cite this

@inproceedings{390b5daac03b4872bf332e225d51f23d,

title = "Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem",

abstract = "The popularity of smart home devices is growing as consumers begin to recognize their potential to improve the quality of domestic life. At the same time, serious vulnerabilities have been revealed over recent years, which threaten user privacy and can cause financial losses. The lack of appropriate security protections in these devices is thus of increasing concern for the Internet of Things (IoT) industry, yet manufacturers{\textquoteright} ongoing efforts remain superficial. Hence, users continue to be exposed to serious weaknesses. In this paper, we demonstrate that this is also the case of home automation applications, as we uncover a set of previously undocumented security issues in the Belkin WeMo ecosystems. In particular, we first reverse engineer both the mobile app that enables users to control smart appliances and the communication logic implemented by WeMo devices. This enables us to compromise the passphrase guarding the communication over the local wireless network, opening the possibility of eavesdropping on user traffic. We further reveal how an attacker can present a fake device to a WeMo user, through which cross-site scripting can be exploited in order to mislead the user into disclosing private information. Lastly, we provide a set of security guidelines that can be followed to remedy the vulnerabilities identified.",

author = "Haoyu Liu and Tom Spink and Paul Patras",

year = "2019",

month = jun,

day = "6",

doi = "10.1109/PERCOMW.2019.8730685",

language = "English",

isbn = "9781538691526",

pages = "894--899",

booktitle = "2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops",

publisher = "Institute of Electrical and Electronics Engineers (IEEE)",

note = "SPT-IoT'19 - The Third Workshop on Security, Privacy and Trust in the Internet of Things, SPT-IoT'19 ; Conference date: 11-03-2019 Through 15-03-2019",

url = "http://percom.uta.edu/Previous/ST2019/index.html",

}

Liu, H, Spink, T & Patras, P 2019, Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem. in 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops., 8730685, Institute of Electrical and Electronics Engineers (IEEE), pp. 894-899, SPT-IoT'19 - The Third Workshop on Security, Privacy and Trust in the Internet of Things, Kyoto, Japan, 11/03/19. https://doi.org/10.1109/PERCOMW.2019.8730685

Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem. / Liu, Haoyu; Spink, Tom; Patras, Paul.
2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops. Institute of Electrical and Electronics Engineers (IEEE), 2019. p. 894-899 8730685.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem

AU - Liu, Haoyu

AU - Spink, Tom

AU - Patras, Paul

N1 - Conference code: 3

PY - 2019/6/6

Y1 - 2019/6/6

N2 - The popularity of smart home devices is growing as consumers begin to recognize their potential to improve the quality of domestic life. At the same time, serious vulnerabilities have been revealed over recent years, which threaten user privacy and can cause financial losses. The lack of appropriate security protections in these devices is thus of increasing concern for the Internet of Things (IoT) industry, yet manufacturers’ ongoing efforts remain superficial. Hence, users continue to be exposed to serious weaknesses. In this paper, we demonstrate that this is also the case of home automation applications, as we uncover a set of previously undocumented security issues in the Belkin WeMo ecosystems. In particular, we first reverse engineer both the mobile app that enables users to control smart appliances and the communication logic implemented by WeMo devices. This enables us to compromise the passphrase guarding the communication over the local wireless network, opening the possibility of eavesdropping on user traffic. We further reveal how an attacker can present a fake device to a WeMo user, through which cross-site scripting can be exploited in order to mislead the user into disclosing private information. Lastly, we provide a set of security guidelines that can be followed to remedy the vulnerabilities identified.

AB - The popularity of smart home devices is growing as consumers begin to recognize their potential to improve the quality of domestic life. At the same time, serious vulnerabilities have been revealed over recent years, which threaten user privacy and can cause financial losses. The lack of appropriate security protections in these devices is thus of increasing concern for the Internet of Things (IoT) industry, yet manufacturers’ ongoing efforts remain superficial. Hence, users continue to be exposed to serious weaknesses. In this paper, we demonstrate that this is also the case of home automation applications, as we uncover a set of previously undocumented security issues in the Belkin WeMo ecosystems. In particular, we first reverse engineer both the mobile app that enables users to control smart appliances and the communication logic implemented by WeMo devices. This enables us to compromise the passphrase guarding the communication over the local wireless network, opening the possibility of eavesdropping on user traffic. We further reveal how an attacker can present a fake device to a WeMo user, through which cross-site scripting can be exploited in order to mislead the user into disclosing private information. Lastly, we provide a set of security guidelines that can be followed to remedy the vulnerabilities identified.

U2 - 10.1109/PERCOMW.2019.8730685

DO - 10.1109/PERCOMW.2019.8730685

M3 - Conference contribution

SN - 9781538691526

SP - 894

EP - 899

BT - 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops

PB - Institute of Electrical and Electronics Engineers (IEEE)

T2 - SPT-IoT'19 - The Third Workshop on Security, Privacy and Trust in the Internet of Things

Y2 - 11 March 2019 through 15 March 2019

ER -

Uncovering security vulnerabilities in the Belkin WeMo home automation ecosystem

Abstract

Workshop

Access to Document

Fingerprint

Cite this