ZDI Advisory (Date: 08/1/2019)
Wemo Remote Code Execution Vulnerability (Date: 08/21/2018)
Wemo UPnP Vulnerability (Date: 08/18/2018)
KRACK Advisory (Date: 10/19/2017)
CallStranger Vulnerability (Date: 06/16/2020)
Belkin is aware of the recent CallStranger vulnerability which was made public on June 8th, 2020. We agree with the researcher's assessment and working to release firmware updates to all products which could be affected. We also recognize that the highest risk of this vulnerability impacts devices which have UPnP services directly exposed to the internet, which Wemo products do not do. We recommend that all customers ensure that their router's firewall is enabled and not forwarding any ports that were not intended. We also strongly recommend that you have an anti-malware software installed and updated on any computers connected to your home network.
ZDI Advisory (Date: 08/1/2019)
We would like to thank the ZDI Team for notifying us regarding their findings with the Belkin N150 (Model F9K1001), Belkin N300 (Model F9K1002), and Belkin N300 (Model F7D2301v1) routers. Unfortunately these particular models, which were initially released in 2010, are currently end-of-life and no longer supported by Belkin. We did, however, review all of the ZDI’s findings and understand that they can only be exploited from within the router’s network, meaning someone would either need physical access to the router or have pre-existing knowledge of the Wi-Fi SSID and password. Our recommendation, if you’re using one of the Belkin routers listed above, is ensure you only provide your Wi-Fi SSID and password of your router to people that you trust and to change your SSID and/or password if you believe it may have been compromised. We also recommend, if you or the devices on your network do not require UPnP, to disable this feature by following the instructions on our support page: https://www.belkin.com/support-article?articleNum=8260. If you have any other questions or concerns please contact Belkin support: https://www.belkin.com/support/.
Wemo Remote Code Execution Vulnerability (Date: 08/21/2018)
“Wemo is aware of this vulnerability from Doug McKee AKA “fulmetalpackets” and researchers at the McAfee Labs Advanced Threat Research. We have been working together to address the exploit and plan to release firmware in the coming month.”
Wemo UPnP Vulnerability (Date: 08/18/2018)
"Our Wemo development team has been working with the researchers who identified the recent DNS Rebinding findings and its potential impact on the local network communication for our Wemo devices which use the UPnP protocol. DNS Rebinding could allow a “threat actor” to penetrate a victim’s home network by using their web browser as a proxy using “phishing” scams or malicious banner ads. Our Wemo development team is committed to take action in securing our products from these types of attacks by implementing additional security around the UPnP implementation.
By using the responsible disclosure process, we were able to quickly understand the exploit from the researchers and began working on the best solution to protect our customers. We plan to release an updated mobile app and firmware to all our Wemo devices in the coming months that will address the vulnerability."
For more information on how to avoid phishing scams please visit https://www.sec.gov/reportspubs/investor-publications/investorpubsphishinghtm.html
KRACK Advisory (Date: 10/19/2017)
Overview
An exploit vulnerability called KRACK (which stands for Key Reinstallation Attack) was identified by a researcher regarding a flaw in the Wi-Fi Protected Access 2 (WPA2) protocol that helps secure products on a protected Wi-Fi network. The WPA2 protocol is ubiquitous in Wi-Fi networking. The vulnerability described is in the standard itself, rather than just being present in certain companies’ products. Thru this exploit, a series of vulnerabilities were found including a local access vulnerability (hackers need to be within range of a user’s Wi-Fi network) that is known to exploit a flaw in the four-way handshake process between a user's device and a Wi-Fi network. It potentially allows an attacker unauthorized access to the user’s protected Wi-Fi network without the password. More details about the vulnerabilities can found at the ICASI site here.
Company Statement: 10/16/17
Belkin International, (Belkin and Wemo) is aware of the WPA2 vulnerability. Our security team is verifying the details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.
Solution
Until a firmware is available, we recommend customers use WPA2-Personal or Enterprise with AES as the wireless encryption type and stop using WPA2/WPA Mixed Mode with TKIP or AES* to reduce the impact of this vulnerability. Although WPA2-Personal or Enterprise does not prevent the attack, it makes the attack more difficult to execute effectively. To learn how to change your WPA security settings, click here.
When firmware is available, customers should know that all devices that offer automatic firmware updates will update to the latest firmware offering a fix to these vulnerabilities when it is available unless the customer has specifically opted out from this service. Customers that opted out of automatic firmware updates and customers of adapters, bridges, range extenders that do not support automatic firmware updates can download the firmware when it is available from https://www.belkin.com/support.
For Wemo devices, the mobile applications will notify the users on the availability of new firmware and will prompt the users to initiate the firmware update.
If users are not able to perform a firmware update or receive an error message during the update, please contact Belkin or Wemo customer support for further instructions.
Confirmed Affected Products:
Overview
An exploit vulnerability called KRACK (which stands for Key Reinstallation Attack) was identified by a researcher regarding a flaw in the Wi-Fi Protected Access 2 (WPA2) protocol that helps secure products on a protected Wi-Fi network. The WPA2 protocol is ubiquitous in Wi-Fi networking. The vulnerability described is in the standard itself, rather than just being present in certain companies’ products. Thru this exploit, a series of vulnerabilities were found including a local access vulnerability (hackers need to be within range of a user’s Wi-Fi network) that is known to exploit a flaw in the four-way handshake process between a user's device and a Wi-Fi network. It potentially allows an attacker unauthorized access to the user’s protected Wi-Fi network without the password. More details about the vulnerabilities can found at the ICASI site here.
Company Statement: 10/16/17
Belkin International, (Belkin and Wemo) is aware of the WPA2 vulnerability. Our security team is verifying the details and we will advise accordingly. Also know that we are committed to putting the customer first and are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.
Solution
Until a firmware is available, we recommend customers use WPA2-Personal or Enterprise with AES as the wireless encryption type and stop using WPA2/WPA Mixed Mode with TKIP or AES* to reduce the impact of this vulnerability. Although WPA2-Personal or Enterprise does not prevent the attack, it makes the attack more difficult to execute effectively. To learn how to change your WPA security settings, click here.
When firmware is available, customers should know that all devices that offer automatic firmware updates will update to the latest firmware offering a fix to these vulnerabilities when it is available unless the customer has specifically opted out from this service. Customers that opted out of automatic firmware updates and customers of adapters, bridges, range extenders that do not support automatic firmware updates can download the firmware when it is available from https://www.belkin.com/support.
For Wemo devices, the mobile applications will notify the users on the availability of new firmware and will prompt the users to initiate the firmware update.
If users are not able to perform a firmware update or receive an error message during the update, please contact Belkin or Wemo customer support for further instructions.
Confirmed Affected Products:
We are still confirming all product SKUs affected, including Belkin Routers and Range Extenders, and Wemo Products. As mentioned, when firmware is available, it will be posted to the associated brands’ support page.
| Vulnerability | Products Possibly Affected |
| Belkin Products
|
| Belkin Products
|
* The reason for this is that WPA2/WPA mixed mode allows the use of TKIP which will enable attackers to forge packets. WPA2 only allows the use of AES which prevents the forging of packets and at the same time, makes decryption of packets more difficult (although not impossible).
