wrap this framework to perpetually turn the electronic device (plugged into the WeMo Switch)
off:
#!/usr/bin/python
import time
from wemo import on, off, get
while True:
off()
time.sleep(5)For a video demonstration of this, see my YouTube video on the subject.
Notice that no authentication or authorization token was required! We now have clear evi-
dence that similar thought processes were used in the design of the WeMo Baby and the
WeMo Switch. As in the case with the baby monitor, it is easy to see how malware authors
could exploit the lack of security to quickly toggle the power of WeMo Switches in any homes
where their malware successfully compromises a computing device.
In addition to local access, the app can also enable remote access, so the Switch can be
toggled from anywhere in the world. To do this, the app first sends a request to the remoteac
cess1 service, similar to the case of the WeMo Baby. The app sends a custom string as the
DeviceName when invoking remoteaccess1 on the local web server running on the Switch. This
value is echoed back to the app and stored by the Switch as the authorization token.
When the user is remote, the DeviceName value is sent to https://api.xbcs.net:8443/
apis/http/plugin/message and then relayed to the Switch. So, in essence, a potential piece of
malware needs only one-time access to the local WiFi network, after which the malware
author can capture the DeviceName, connect to the api.xbcs.net service directly, and issue a
command to toggle the Switch.
In the case of Microsoft, ethical security researchers as well as criminals discovered simi-
larities in design across the product line by locating vulnerabilities and testing whether simi-
lar insecure design principles were used elsewhere. In the case of the WeMo product line, we
can see that we have a similar situation. We’ve learned the hard way when it comes to soft-
ware, and we have an example of the same issue recurring in the world of IoT products.
Conclusion
Parents and guardians depend upon monitoring technology to protect the lives of their loved
ones. We noted several cases with Foscam devices that demonstrate how unnerving it can be
for parents to realize that the monitoring device in their child’s bedroom has been compro-
mised by an external entity. Having to run into a baby’s room upon hearing a stranger’s voice
is not an experience any parent would want to have. In addition to enabling scary situations
CONCLUSION 83