WEMO Ideas

Showing results for 
Search instead for 
Do you mean 
0 Kudos

WARNING - WEMO DEVICES HAVE MAJOR DESIGN FLAW that could pose major security risks

by HomeController on ‎09-05-2017 07:48 PM

Hi - just got off the phone with Wemo Support.  Agent tried his best and actually got to someone who could answer the questions.  However - the answer CONFIRMED my suspicion that WEMO devices have a major design flaw.  Basically anyone with the WEMO APP who can get on the same WIFI network as your devices will be able to control them.  The APP (and devices) are designed to automatically detect each other - even if they've never been set up to work together. Sure my wifi has WPA2 with a complex pasephrase, but anything can be hacked (HOME DEPOT Credit Card scandle anyone).   At very least if the devises had to belong to a user account with user name, password and maybe even 2-step verification (Google Authenticator is free), it would considerable increase the security and solve a few other problems...namely Multi-location control.

 

Security risks aside...which I don't event want to think about in too much detail...This design flaw makes setting up 2 locations (which already requires a workaround - take your pick of the options) impossible for anyone with even basic home automation aspirations (probably WEMOs target market).  The minute you connect to the WiFi at your secondary location (even if the phone has never been there) it autodetects the Wemo devices on the local WiFi and puts all the devices in the Primary location (which you probably want to control remotely, since you are not physically there...) in not detected mode.  WEMO's solution: go on cellular data or use the "Guest Network" oh wait...now all the other home automation or media stuff I have in my secondary location (AppleTV, Chromecast) can't be accessed becasue i'm not on the same SSID...anyone find this completely ABSURD????

 

Why don't the WEMO devices come with a massive warning lable about this stuff?

 

This shoudl be an easy fix...I can thank of so many solution (and others have it fixed - NEST has no issues with multiple locations and it controls your HVAC and Smoke Alarms and a host of Cameras, it even organizes them neatly into differen locations - all work perfectly).

 

Come On BELKIN - stop messing around with stupid little upgrades and actually fix the major design flaw in the whole WEMO system.

Comments
by Bilim35CI7
on ‎09-05-2017 08:16 PM

Keep your guests on different Wifi network and you can use Automanager manager for multiple locations.

by WEMO Maker Inventor
on ‎09-06-2017 08:58 AM

It was definitely a poor architecture decision to make their app appear accountless and then bind it to your SSID and portable device.

 

If someone has hacked into your WPA2 wifi you've got much bigger troubles than them playing with your lights...  for example they could use your router to spoof your DNS to discover things like banking passwords.

 

But here's the real risk - they don't need to hack into your WPA2, they only need to hack into the IoT cloud provider (or be a less than ethical provider themselves).  By setting up an IoT device (any, not just belkins) you've given that provider your email, SSID, wifi password, and geolocation.  And they've probably stored it permanently in their cloud servers.

 

Setting cloud devices to disable remote access isn't enough - all that does it disable your remote access to them.  But the devices will still communicate with the cloud to report in and exchange data.  And they're now a bridge (a trojan horse) from the cloud service into your network that could pretty much do anything - like spying on network traffic.

 

The only truly safe way to use these devices (especially, IMO, the questionable cloud only devices coming out of asia) is to isolate them in their own network with strong firewall between them and your personal network.  And block them from the internet too (though so much for the cloud if you do).

 

As Bilim says, AutomationManager supports multiple locations, but it also allows you to isolate the devices.  It uses google authentication for remote access.  It does not use (store) your data on a proprietary cloud nor server - you use your google account as your own personal cloud service on google's servers.

by signoproseries
on ‎09-08-2017 10:31 PM

i like

 

gclub