TIP The WeMo Baby has been discontinued by the manufacturer. However, it is used in many homes. Also,
because the design and architecture of the product are different from those of the Foscam devices we
have been discussing thus far, it is a good candidate for us to study to uncover security issues.When the user launches the iOS app while on the local WiFi network, the app attempts to
locate the baby monitor using the Simple Service Discovery Protocol (SSDP), which is the dis-
covery component of the Universal Plug and Play (UPnP) protocol. In order to find the baby
monitor, the iOS app sends the following UDP packet to the multicast address of
239.255.255.250 (a common multicast address to detect devices such as the WeMo monitor)
on port 1900 :
M-SEARCH * HTTP/1.1
ST: upnp:rootdevice
MX: 3
MAN: "ssdp:discover"
HOST: 239.255.255.250:1900Since this is a multicast packet, it is broadcasted to the local network. However, only devi-
ces (such as the WeMo monitor) that are actively listening for SSDP packets process the dis-
covery request. In this case, the WeMo monitor responds by sending the following UDP
packet to the iOS app:
HTTP/1.1 200 OK
CACHE-CONTROL: max-age=86400
EXT:
LOCATION: http://10.0.1.2:49153/setup.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
SERVER: Linux/2.6.21, UPnP/1.0, Portable SDK for UPnP devices/1.6.18
X-User-Agent: redsonic
ST: upnp:rootdevice
USN: uuid:wemo_baby-1_0-[serialNumber DELETED]::upnp:rootdeviceBased on the response, the iOS app captures the IP address of the baby monitor
(10.0.1.2) and the destination port ( 49153 ), along with the target resource to request to set up
initial access (/setup.xml). Note that the response from the monitor also includes the value
for the serialNumber that is printed on the bottom of the physical WeMo device.
The iOS app then submits the following GET request to the baby monitor (at IP address
10.0.1.2 and TCP port 49153 ):
GET /setup.xml HTTP/1.1
Content-Length: 0
HOST: 10.0.1.2:49153
User-Agent: CyberGarage-HTTP/1.0CHAPTER 3: ASSAULTING THE RADIO NURSE—BREACHING BABY MONITORS AND(^70) ONE OTHER THING