a=rtpmap:3 GSM/8000
a=rtpmap:96 telephone-event/8000
a=fmtp:96 0-15
a=candidate:Ha000102 1 UDP 2130706431 10.0.1.2 3106 typ hostAt this point, the connection is established and the iOS app is able to listen to the audio
transmitted by the WeMo Baby.
Bad Security by Design
As we’ve seen, the iOS app needs only one-time access to the same local network as the baby
monitor to invoke the /upnp/control/remoteaccess1 service. Once this is done, the iOS app
can listen in to the baby monitor from anywhere in the world by contacting the k2.k.bel
kin.evodevices.com server using SIP. The obvious issue here is that any users with one-time
access to the local WiFi network can register themselves without authentication and authori-
zation. They can also continue to access the baby monitor remotely until a local user specifi-
cally deletes their devices from the Access list (using the iOS app while on the local WiFi net-
work). See my YouTube video on this topic for a demonstration of this in action.
A realistic situation in which this vulnerability could become a problem would be a visitor
to someone’s home requesting temporary access to a personal WiFi network. If this individual
were to access the WeMo Baby app, he could then continue to listen in to the baby monitor
remotely. On this note, Lon J. Seidman’s Amazon review of the WeMo Baby specifically states
his concern over this design issue:
...But that’s not the only issue plaguing this device. The other is a very poor security model that
leaves the WeMo open to unwelcome monitoring. The WeMo allows any iOS device on your net-
work to connect to it and listen in without a password. If that’s not bad enough, when an iPhone
has connected once on the local network it can later tune into the monitor from anywhere in the
world. Belkin assumes that your access point is secured and that the only people accessing it are
people you know. This is especially troublesome for people who don’t secure their access points or
are using weak security that’s vulnerable to cracking.
Belkin seems to acknowledge this vulnerability in the software, showing which devices can connect
to the WeMo and whether or not to allow global snooping. Unfortunately WeMo gives full access to
every device right out of the gate, requiring you to continually monitor it to ensure that an unau-
thorized listener hasn’t connected to it.
The bottom line? It’s not reliable enough to make it an effective monitor for my child, nor is it
secure enough to give me the confidence that others can’t snoop in. For those reasons I simply can’t
recommend this product.In response to Seidman’s review, Belkin issued this comment:THE BELKIN WEMO BABY MONITOR 75