2 min read

Smart switch may turn off your Wi-Fi for good

Alexandra GHEORGHE

June 02, 2016

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Smart switch may turn off your Wi-Fi for good

You might be risking your privacy, and even physical security, if you use a next-generation switch to control appliances in your home.

In analyzing several IoT devices, Bitdefender found the Wi-Fi-enabled WeMo Switch is vulnerable to weak access point authentication and may leave users without their private Wi-Fi credentials.

The WeMo switch can turn plugged-in electronic devices on or off remotely and includes scheduling and IFTTT automation capabilities. The product has over 2,000 five-star reviews on Amazon, and the mobile app, WeMo, boasts over 100,000 downloads on Google Play.

Coincidentally, in 2014, the device was the subject of a hacking experiment which took advantage of encryption keys and cloud services to push malicious firmware updates and capture credentials. At the time, the company said it would update its software to add SSL encryption and password-protect the serial port interface to prevent a malicious firmware attack.

Going after the password

When the device is configured, all data is transmitted in plain text, except the Wi-Fi password. However, the password is encrypted with a symmetric 128-bit key.

The Wi-Fi password is secured with an AES key derived from the MAC address and the device ID. Since the device ID and MAC address are transmitted in clear, researchers have all the elements for decryption at their fingertips. Using a decryption tool, they have managed to reverse engineer the key generation algorithm, recover the password and got inside the network.

wemo

Device MAC and SSID

Security measures

The authentication and traffic encryption flaws that often afflict IoT systems are known in the security industry but, despite this, mitigation is often neglected,”says Radu Basaraba, malware researcher at Bitdefender.

In particular, authenticating IoT actors with proper mechanisms and standards is essential for the future of IoT.Although lack of authentication seems like a minor mistake, it ultimately leads to jeopardizing users’ confidence in vendors and the IoT landscape itself,“ Basaraba says. “IoT vendors need to prioritize security before their devices become hugely popular, leaving millions of people at risk of cyberattacks.

Researchers from Bitdefender Labs have investigated a random selection of IoT devices- – a smart LED, a Wi-Fi enabled switch, a Wi-Fi audio receiver and a smart power adapter. Note: the scrutinized gadgets have been chosen randomly, based on popularity, product reviews and price affordability.

This article is based on the technical information provided courtesy of Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

tags


Author



Right now

Top posts

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read
John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Israeli Authorities Seized Severs of Breached Company for Not Cooperating Israeli Authorities Seized Severs of Breached Company for Not Cooperating
Silviu STAHIE

July 04, 2022

1 min read
FTC warns LGBTQ+ community of extortion scams targeting them on dating apps FTC warns LGBTQ+ community of extortion scams targeting them on dating apps
Graham CLULEY

July 01, 2022

2 min read
OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you? OpenSea Breach Exposes 1.8 Million Email Addresses. How does it affect you?
Radu CRAHMALIUC

June 30, 2022

3 min read