02-19-2015 09:17 AM - edited 02-19-2015 09:44 AM
Yesterday, I installed a WeMo Insight to control a couple lights in my living room. It is the only WeMo device I own. This morning, I opened my WeMo app on my iphone 5. The Devices list has 8 switches (in addition to my one), and 8 cameras on it. A few have names like “backyard” and “GARAGE” – there’s even a camera named “daisy.” I tried one of the switches, and apparently I am able to turn it on and off (I don’t know which house these devices are in, so I have no way of knowing if it’s actually controlling the switch, but the button in the app turns on/off, green/grey).
I don’t have the Belkin NetCam app, but it says if I download it I would be able to access the cameras too! [See Edit below]
What is going on here? First of all, I thought you couldn’t control WeMo devices on more than one WiFi network from the same phone. So even if one of my neighbors doesn’t have a password for their WiFi, how is this possible? Secondly, does this mean that if someone with the WeMo app gets close to my house, they could control my living room lights? The camera thing is especially disturbing, but I don’t have a Belkin camera, so it’s not my main concern at the moment.
[EDIT] I downloaded NetCam, and each of the cameras takes me to the login screen which requires a password. So no, I can't access the cameras, which is a good thing. It autofills the username though, and each one is different. "sjgregg", "akanaz", "jglazald", "billkendig". So apparently these are not all coming from the same neighbor. I doubt the few houses around me each have Belkin net cams, so my phone must have detected all these on my drive to work. Btw, even though I can't access the camera view without a password, I can still see the last time motion was detected on them via the WeMo app.
02-19-2015 08:38 PM - edited 02-19-2015 09:08 PM
That's kinda alarming. Setting up the WEMO will require you to connect to the WeMo ID so it's weird that you see WEMO's other than yours. Also, you cannot control other WEMO devices in different homes. Have you tried forcing the app to close, uninstall and reinstall the app? Can you post a screenshot of the app? I'm curious how it looks like.
02-20-2015 07:43 AM
Well, that's interesting. So VictorR8 is purplechix? I'm subsribed to this topic and I see that this exact response was first posted by Victor, then deleted replaced as authored by purplechix. What on earth are you support folks thinking here, what possible reason do you have for masking identities like this?
In any case, this is very, very, very alarming and it's the second reported incident. There's clearly a problem with credentials management in your cloud servers. And I do mean a serious problem - as in CNET level news story "Belkin wemo cloud exposes security vulnerability". These are security cameras after all, and leaking ids to android makes them targets for dictionary attacks on the passwords. Let alone the mysterious reports of "my lights turned off for no reason".
I hope this is being given the proper level of attention by the team. I fear it is not, 'cause the standard "uninstall, reset, and re-install" response will at best hide the problem. And at worst you may lose the chance to debug it while it's happening. To be blunt, the previous opportunity (and customer) was lost because the support team didn't take it seriously - the customer returned the product in frusration.
@ , tying back to our discussion about the purpose of WemoManager - one of it's main features is to allow us to set up our own automation server instead of using the cloud. We can literally keep our personal data in house and avoid this exact risk - that cloud hacking or bugs would inadvertently expose it to the outside world.
02-20-2015 08:18 AM
I sent you a PM yesterday to get some info that is best not posted in the normal communities. Check your PM's and when I get that info I can do some digging on the back end of the cloud to see what is up.
I'll keep everyone updated here I just don't like exposing MAC addresses on the public side of the forums.
Belkin Technical Support
02-23-2015 05:40 AM - edited 02-23-2015 05:49 AM
Thanks for your reply. Here are three screenshots from my app. Only the "Living Room Lights" is mine. Over the weekend, I hid all the ones that weren't mine, but they were back this morning.
As you can see, it tells me when these people's cameras detect motion. If I click on a camera, it takes me to the NetCam app and auto-fills in their username and asks for their password.
I can control the switches, and change their scheduled on/off times in the Rules. If fact, I had never made any rules myself, but I can see that the person with the "lovebirdtweet" switch is apparently using it as alarm on weekday mornings.
Robert_S, I sent you the info you requested.
By the way, this is a new unit, not used or a gift. I bought it on Amazon last week.
02-23-2015 12:12 PM
Got your PM. Just came back from talking with the cloud team. They are going to pull some logs from when you added that WEMO to see what they can find. I have a feeling this only happens when you are on a Cellular connection, a 5ghz network connection or a remote Wi-Fi correct? It shouldn't happen when you are on the local 2.4ghz network that your WEMO is on.
While the cloud guys are looking at the logs can you provide a bit more info? Your ISP, and the make/model of your modem and router? I was hoping for more clear cut info when I pulled your info from the cloud but it wasn't as cut and dry as I had hoped so thats why I'm hitting up the cloud team.
Belkin Technical Support
02-23-2015 02:42 PM - edited 02-23-2015 02:59 PM
I hadn't noticed before, but you're right. When I am home and have Wi-Fi enabled on my phone, the foreign devices become "Not Detected." As soon as I turn off Wi-Fi or leave the house, and my phone starts using cellular data, they are detected again. Also, I have an iPad that is not cellular enabled, and it has never detected them.
I have Time Warner Cable internet and my modem is an Arris DG860A like the one here.
02-24-2015 10:30 AM
Cool, thats what I thought would happen. It looks like something is wacky on the back end. I'll let you know what I get from the cloud guys. They will have to go through some logs.
Belkin Technical Support