Thursday, May 9, 2013

CVE 2013-3518 - Belkin WeMo Information Exposure

# Title: Belkin WeMo Information Exposure
# Date: 5/9/13
# Author: Mickey Shkatov
# Vendor Homepage:
# Version: Any version prior to
US : WeMo_US_2.00.2176.PVT
World Wide :WeMo_WW_2.00.2176.PVT
 # CVE: CVE 2013-3518

Belkin WeMo devices with firmware prior to WeMo_US_2.00.2176.PVT allow physically proximate attackers to access the file system and extract the private key, public key, trust chain and passphrase used to encrypt Belkin firmware.

Affected products:
 - Belkin WeMo
 - Other: Since the same encryption keys are used for other Belkin products, all those products are susceptible to malicious modification.

Jan 10 2013 - Contacted Belkin support.
Jan 11 2013 - Belkin support replies with request for details.
Jan 11 2013 - Description of vulnerability sent.
Mar 28 2013 - A fix to the Firmware has been published by Belkin.
Apr  7 2013 - Fix confirmed.