06-03-2016 03:13 PM
Recently, Bitdefender published a report on the security of IoT devices and included the Wemo Insight Switch in their findings. They point to an initial vulnerability only present during the set-up process when there is a very brief open connection between the Wemo device and the users’ home network, and claim that a hacker could potentially exploit this to gain access.
However, it is critical to note that the window of time that this vulnerability is present is only a few seconds at most. In order to gain access, a hacker would have to be physically within range of the user’s home network and sniffing it at the EXACT moment they enter their Wi-Fi password. This issue does not affect any WeMo device that is already configured or any data transmitted to the WeMo Cloud. Wi-Fi credentials cannot be obtained from Wemo devices in normal use – such as when someone accesses their Wemo Switch to turn off a lamp while at the airport, for example – and devices in normal use cannot be compromised either.
Though the Wemo Insight Switch was called out in the report, the vulnerability reported is not specific to Wemo as it involves a set-up process that is commonly used with other Wi-Fi, Bluetooth or other connected devices. The likelihood of any user being affected by this vulnerability is extremely rare and we don’t believe it poses a significant risk to Wemo users. That said, we are always evaluating our security measures and won’t hesitate to make changes if the risk becomes more significant.