WEMO Application

Showing results for 
Search instead for 
Do you mean 
Reply
Moderator
Posts: 555
Registered: ‎06-17-2015

Re: Wemo security or not with visitors

You can actually remove a user from the remote access manually, that can be found under remote access in settings.

 

As for the account lock down, that may not be possible for now since WEMO is not account based, and if you're going to buy a used WEMO, a reset  should remove that worry, since it will delete all the previous information from the cloud.

 

For the last item mentioned. I can't answer that, since I don't have the appropriate information.

Thaddeus - 14850
WEMO Technical Support
WEMO Maker Inventor
Posts: 1,578
Registered: ‎06-14-2014

Re: Wemo security or not with visitors

That looks to be new, and it could be useful.  Though what happens if my not so friend disables my access while adding his own?  This isn't so far fetched - there's a few people on this communitity using wemos in vacation condos.  The guests could grab control of them during their stay - esp if they had their own wemos back home so a reason to open the app.  And the owner is of course 1000s of miles away so being locked out is pretty tough to fix.

 

I'm not the brightest guy so it's tricky for me to think through the scenarios and make sure they're covered.  Have you considered publishing a list of all of the possible scenarios and how they're handled or avoided?  Maybe with do's & don'ts.  For example I think usng wemos on a public network should be very strongly discouraged (in coffee shops, or at the office).

 

BTW, have you tried this yourself?  Or at least had the test team test the possible scenarios?  I was curious and when I checked there were indeed some of my devices listed (I'm not sure it was a complete list and there was at least one duplicate, but hey, it's not my job to test).  So I did a forget and disable from two of my handsets, then re-enabled and reconnected both.  Neither of my remote accessible handsets showed up on the other afterwards.  But I was abie to control the same wemos from both.  Sounds pretty similar to the original poster's question.

 

On a side note and FWIW it's nice to see the full court press on support from you folks this week - kudos for that and thanks for stepping in here.

 

Community Manager
Posts: 558
Registered: ‎05-27-2014

Re: Wemo security or not with visitors

Mike,

 

Let me take a quick stab at that.  If I missed anything or you have questions let me know.

 

WEMO was designed for an ease of setup.  That means you set it up on one smart device and you bring another one into the network, install the App, start it up and it finds the WEMO's on the network and links itself to them both locally and remotely.

 

So we have that part understood and out of the way.

 

As the network owner what you can do is

  1. set up a guest network and give that out.  That is a bit more secure all around.
  2. If someone should get added to your WEMO network just go in and disable their remote access.  They won't be able see nor control your WEMO devices again until you bring them back on your network. 

Also there is something that gets brought up a lot so I will bring it up here.  Scenario:  You own WEMO devices and your friend owns WEMO devices.  You invite your friend over and give them access to your WIFI.  As long as they don't uninstall/reinstall the App while on your network you have nothing to worry about.  If they launch the App on your WIFI it will detect they are not on their WIFI and go remote and they will only control theirs.

 

Regards,

Robert S.

Belkin Technical Support

WEMO Maker Inventor
Posts: 1,578
Registered: ‎06-14-2014

Re: Wemo security or not with visitors

Thanks Robert, and yes, I undersand that easy setup is a key requirement.

 

But it hides too much which exposes us to risk - more so because we as users can't see what's happening and so don't know how to keep from making a mistake.  And I'll step out of line a bit here to suggest that the architecture is too convoluted - risking that the development team won't be able to code it properly (securely), and the test team won't be able to test it properly.

 

You can only see and change remote access when you're connected locally.  So the vacation home scenario is definitely a problem.  So is the practical joking visitor - all one needs to do is clear app data, then connect and enable remote access.  The owner might never know unless they think to check the remote access status. The naming convention used for the remote access devices escapes me (though the names seem familar) - I wouldn't necessarily know which devices to disable even if I discovered an exposure.

 

Sure, isolating the wemos to a separate network is a good idea - in fact that's what I do for various reasons.  But even this simple level of network setup is a little too much for many.

 

What might help here is some transparency on how this works, like:

  • How does the app decide it's on it's "home" network.  SSID?  Router MAC?
  • What's the naming convention for phones/tablets given remote access?
  • How are wemo's known in the cloud?  How are handsets known in the cloud?  How is the association made?

If we had some insight (no pun intended!) we'd be better able to know what to watch for and to evaluate the risk for ourselves in different situations.

Community Manager
Posts: 558
Registered: ‎05-27-2014

Re: Wemo security or not with visitors

Security like what you are talking about Mike is being investigated for how to implement it with all the different working parts.  Remember it might kill your App too.

 

I've also put in a feature request for giving the user the ability to remove their own smart devices completely from the remote network.  Right now you have to contact us and we can do it but in the long term that won't be viable for anyone.  

 

As for your questions... I'll take my best shot at this.

  1. I don't have the exact answer for this.  
  2. I think this link will help with how it chooses the name.  It shows up on the cloud as whatever name you gave it based on how it found it.  http://community.wemothat.com/t5/WEMO-Application/why-does-wemo-android-app-need-access-to/m-p/5748#...  scroll down to my post (post 10) for the list of the Android permissions.  It has in there where the App looks for the smart device name.
  3. WEMO in cloud by MAC address/Serial number.  Smart device in cloud by UniqueID code generated by APP based on your smart device.  

Regards,

Robert S.

Belkin Technical Support

 

WEMO Maker Inventor
Posts: 1,578
Registered: ‎06-14-2014

Re: Wemo security or not with visitors

I remember that thread for #2.  Not sure I like the way the name get's calculated any more now than I did then, but it explains why the names look familiar.  My preference if it were my design would be to skip harvesting personsal information and let the user decide.

 

You're scaring me about my app Smiley Happy... I expect I'll be ok as I never go near the user's cloud account.

 

But it may not matter anymore, I got a PM from someone on this board, if it all works out I may just hiring someone to turn my lights off manually instead of using wemo's Smiley Wink

 

Hello
Sent: ‎08-18-2015 05:58 PM
 
Please contact me at my private email address, ************

My father of blessed memory deposited the sum above US$ 13.5 Million in Bank and an additional 12million pounds in a security company safe and secure with my name as the next of kin.

I have contacted the Bank to clear the deposit but the Branch Manager told me that my late father place an instruction on the deposited fund that i must present a foreign trustee who will help me in investment of the fund.

However, the manager advised me to provide a trustee who will stand on my behalf for the transfer of the fund.

 

 

Community Manager
Posts: 558
Registered: ‎05-27-2014

Re: Wemo security or not with visitors

Hey I got that message as well... It looks like you beat me to it and are going to get that cash first.

 

 

Posts: 1
Registered: ‎12-20-2015

Re: Wemo security or not with visitors

Why can't Belkin add user ID and password to restrict access? Anyone at Belkin listening?
Moderator
Posts: 555
Registered: ‎06-17-2015

Re: Wemo security or not with visitors

We are looking into different methods of enhancing the usability of the product including features like accounts. But we still don't have any ETA on when will this be applied. We'll post any updates on our website regarding this.

Thaddeus - 14850
WEMO Technical Support
Posts: 1
Registered: ‎01-04-2016

Re: Wemo security or not with visitors

We need this security system. For example i dont want MY son to have access to wemo devices. Si the re a way to create more security