Oh No, Wemo!
Most end-users that purchase these types of devices and blindly plug them into their home networks are going to have ZERO knowledge about what the device is doing or could do on their network.
Darn you Wemo. I had high hopes that as a sort of name-brand in the IoT devices (Wemo is owned by Belkin now) you might have done things a bit better. In fact, I'm shocked that the other devices I have found on Amazon may be less risky if used in the home.
I recently reviewed the VOCOlinc smart plugs that are nearly identical to the Wemo ones:
I included a section in that review on security and how the VOCOlinc only accessed an Internet NTP (network time) server for normal operations. While they did download their firmware from some unknown server in Hong Kong, they have not made any other attempts at accessing Internet hosts.
The same can not be said for the Wemo. Costco had these Wemo smart outlets on sale for $19 for a pair of them. It turns out, it's only $10 each to bring a cloud connection directly into your home and potentially expose you to harm.
https://www.costco.com/wemo-mini-smart-plug%2c-2-pack.product.100391897.html
I had very much expected that these would work much like the VOCOlinc devices, which have been fantastic to use, so far. I expected them to be:
- Setup on the network
- Probably access some NTP (network time) server to sync their clocks
- Update firmware from some Internet cloud host somewhere
- Behave like any other IoT device that only has to be controlled by hosts on the local network (aka: no Internet needed)
Unfortunately I was wrong.
This was the one clue I missed on the advertising:
I set these up just like all the other IoT devices. I found their MAC addresses on the devices, added them to the DHCP server for static IPs and added those IPs to the IoT firewall policy that logs all network traffic.
They powered up, joined the network, received their IP addresses and from the Wemo App for iOS, they told me they should have their firmware updated. The firmware updated from a host in Amazon AWS. Life seemed good.
Then I noticed that these devices had a persistent TCP session to hosts in Amazon AWS. Odd. Why would they need that? They were communicating to Amazon AWS on port TCP/3478. This port is for STUN Session Traversal Utilities for NAT. Basically a way for a client inside a private network to establish a session with an external server and provide bi-directional control / communications.
https://en.wikipedia.org/wiki/STUN
Now glance back up at that ad photo from Wemo.
Peace of Mind with Remote Control
While the Wemo is compatible with Amazon Alexa, Google Assistant and Apple HomeKit, Wemo is also trying to have their own "Cloud-based" solution for users to phone home, if needed, to turn things off and on. This is the same type of solution that the other three use (Apple, Amazon and Google) to control IoT devices from outside the home network, but to see it from Wemo as a DEFAULT feature enabled, it is a surprise.
Yes, I said a DEFAULT feature enabled. I went back to the Wemo app and looked around the settings and found that the Remote Access was enabled, but at least had a way to turn it off.
I turned that feature off and unplugged / plugged both of the Wemo devices to reboot them. Sadly, it turns out that doesn't really turn the feature off. Both devices still attempted to connect to the Wemo AWS hosts on port 3478. And when that port was blocked, they moved to port 3475.
The DNS requests that were made are for the following FQDN with 2 A records:
prod1-nat-xbcs-net-1543133972.us-east-1.elb.amazonaws.com.||A||50.19.219.131
prod1-nat-xbcs-net-1543133972.us-east-1.elb.amazonaws.com.||A||50.19.222.95
I had to block ports 3475 and 3478 for all devices. Currently, the Wemo smart outlets just keep sending SYNs over and over again in hope they will establish a connection.
A final disappointment from the Wemo is the choice for the default (only?) NTP server they choose to use. Here are the logs from the firewall:
So who is the 192.5.41.41 host? It's the US Department of Defense (DOD) and the U.S. Naval Observatory.
This does not appear to be a "public" NTP server for end-user clients, but rather for other Stratum 2 servers to use. Of course, any time there is an open service (like NTP) on the Internet, people are bound to abuse it.
http://support.ntp.org/bin/view/Servers/PublicTimeServer000287
But wait! Did you see the two other IP addresses the Wemo tried to use for NTP time sync? Check out the first one:
NIST.gov https://www.nist.gov/ had to put in a DNS PTR record that explicitly says that the IP address in use has not even been an NTP server since 2012!! That server was probably retired before Wemo was even a company. This sloppy attention to detail is what you can expect from IoT devices that end up with buggy and outdated firmware that end up being compromised and expose your home or corporate network to hackers.
The thing that concerns me the most about these findings with the Wemo is that these are things that are going to be a part of every IoT device that some company decides to manufacture. Instead of having a "dumb" device that uses the local network to turn lights on and off, it has to be more, it has to be "smarter" to offer some fancy service to customers enabling them to turn their lights on and off using their phone at a movie or dinner.
The IoT devices do not disclose information to the end-users as to what they are doing. There is no EULA clause that says "we are going to open a bi-directional session up to your home so that we can access your outlets any time we want to." And what about miscreants? Is this a good time to point out that Wemo has had issues with these exact connections since, oh, I don't know, 2014?
John Fontana
Last scary thought for this and the future: I expect that I am more sophisticated regarding this type of security analysis than > 99% of the other people that purchase these things at Costco or other retailers.
Most end-users that purchase these types of devices and blindly plug them into their home networks are going to have ZERO knowledge about what the device is doing or could do on their network.
This really is a recipe for disaster. It is just a matter of when it will happen, not if. How much outbound DDoS traffic could a smart outlet generate? 20Mbps per device? It already has the C&C channel set up with AWS, just waiting to be issued a command to fire. When will it happen?
Coming up: I will have another write-up on why our choices of devices that we add to our homes is so important. As a sample, here is an article about how the FBI recommends that these types of devices have their own security zone in your home network: