Turning the Belkin WeMo Into a Deathtrap

Okian Warrior writes "As a followup to yesterday's article detailing 50 Million Potentially Vulnerable To UPnP Flaws, this video shows getting root access on a Belkin WeMo remote controlled wifi outlet. As the discussion notes, remotely turning someone's lamp on or off is not a big deal, but controlling a [dry] coffeepot or space heater might be dangerous. The attached discussion also points out that rapidly cycling something with a large inrush current (such as a motor) could damage the unit and possibly cause a fire." In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?

If you're putting a space heater on a remote...

[Anonymous Coward]

Please, please, learn some common sense.

Never have a heater like that unattended, it's just not safe.

Re:If you're putting a space heater on a remote...

[pushing-robot]

Agreed. Heaters should never be left unattended.

Always put them on a timer, or better yet, a remote-controlled outlet you can monitor and control from anywhere.

I have a Belkin unit that works great. Highly recommended!

space heater have temp and tip over switches

[Joe_Dragon]

space heater have temp and tip over switches that can trun it off.

Re:

[X0563511]

Both (well, the tip switch anyways) are mechanical and can fail. They certainly help but should not be depended on.

Re:

[Runaway1956]

Space heaters often have not thermostat on them. They are either off, or on, and they are either high or low setting. Thermostats are relatively expensive, especially a reliable thermostat. It's the first place cheap space heater manufacturers attempt to cut costs.

Tip over switches can fail. I've seen them fail enough times that I'll never rely on one. A little dirt, some lint, a couple years of corrosion, and magically, the damned switch just doesn't work.

Re:

[X0563511]

Relays can and do handle current like that. There's no reason other than cost that this could not be made with a high current rating.

Re:

[big_e_1977]

Modern heaters can only draw 12 amps maximum. It's an electrical code/UL requirement that plug and cord connected appliance only be capable of drawing 80% continuous load of the ampere rating the plug is capable of handling. The standard american electrical outlet is only rated at 15 amps, even if it's on a 20 amp circuit. Although 20 amp electrical outlets do exist, I have never seen an an appliance sold to ordinary consumers with a 120v 20 amp plug. If one were to exist, the maximum continuous amp dra

Re:

[hurfy]

hmm, the info on the 'buy' page says "connect any appliance or device" but very little actual spec info.

I really doubt they intend for me to controll my 1975W minicomputer with this..of course i am chicken to turn it on without this gizmo but still :) Someday i'll find out if it gets up to speed before the breaker trips.

(1975W is the startup power, but that is what they are talking about)

I am thinking that this relay is gonna fry before a device can do damage however. Can't believe Belkin would use good eno

Re:

[dkuntz]

That should do just under 20A draw, if my maths are correct... A 20A circuit can handle it briefly... or just wire up 2 20As into a 20A 220:)

Re:

[wierd_w]

A typical electric space heater comes in 3 ratings.

500W
1000W
1500W

That said, I found a cute little 200W one [meijer.com]that barely feels warm even after running for hours at walmart that is intended for use on cubicle farm desks.

It really *IS* 200W at peak. I have run it successfully for hours on a 400W DC plug power inverter meant for a laptop during a winter camping trip. My impression is that the ceramic heating core heats efficiently, but that it has a rather guttless fan.

If they used something like that on the rem

Re:

[pla]

Aww, I only want to make my bathroom nice and toasty by remote control before I get out of bed, you cretin! :)

But yeah, seriously. Great tool for lights or remotely cycling power to a home server. Dumb dumb dumb idea to connect anything intended to make large amounts of heat (coffee pot) or dangerous motions (table saw).

Oddly, I thought UL/CE wouldn't approve products like this specifically for that reason - That we simply can't trust most people to have the common sense not to try to remote-start the

Re:

[babywhiz]

Why would you not base it on inside/outside temperature? Seems to me that is easiest than remote control....

Re:

[babywhiz]

Or...easier than....my brain is fried today...

Re:

[plover]

Why would you not base it on inside/outside temperature? Seems to me that is easier than remote control....

Because not every application needs to heat based on the ambient temperature (that just takes a thermostat). Usage enters into it as well.

I have a friend with an unheated airplane hanger, and an antique prop-start plane he flies once or twice a week. He has a magnetically attached heater for warming the engine oil prior to starting it in cold weather (really useful when you have to spin it by hand.) Because of the risk and expense of operating a heater unattended, he wants to power it as little as possib

Re:

[Obfuscant]

Because of the risk and expense of operating a heater unattended, he wants to power it as little as possible. Since he needs to turn the heater on about an hour before he flies, and he lives about half an hour from the airport, this is the perfect application for a remotely controlled switch to operate a heater.

Because of the risk of running the heater unattended, he puts it on a remote controlled switch so he can run it unattended? Attached to a valuable thing like an airplane? That's filled with flammable stuff called "avgas"? And may be covered in fabric coated in dope?

Wow.

What happens when he's forgotten to attach the heater before he leaves and then turns it on remotely? Or it comes loose from the engine and is laying in the engine compartment against a spar or fabric cover?

Re:

[cusco]

If your friend has a commercial access control system installed in the hanger drop me an email and I can give some instructions on how to set it up to do just that. We had a salescritter who told a customer that his access control system could do everything except make his coffee for him in the morning. Just to show off the customer got playing around and set his coffee pot up so that it would start brewing when he swiped his badge at the main entrance in the morning.

Re:

[plover]

Thanks. It's just a private hangar built 70 years ago, and I think he's pleased that someone added electricity back in the 1970's. Since he's a l33t h4x0r, he's building an Arduino connected to a GSM module to trigger it via secret SMS message.

Re:

[DriveDog]

I use a belt sander on a remote switch to pull a string that turns on the space heater. Once it gets to the end of its cord, it pulls it loose to turn itself off. The dust gets to be a problem, the floor needs a new coat of polyurethane, and the cats never come down from the hanging light fixtures. The belt sander draws quite a bit of current itself, but only momentarily.

Servers need power, too!

[Anonymous Coward]

One of the worst tech support nightmares I experienced was remotely diagnosing why the Point of Sale servers kept shutting off at the same time every week. It turned out that the outlet the battery backup was plugged into was connected to a light switch that the weekly cleaning people turned off - weekly. When support came into the room, what was the first thing they did? Turn on the lights!

Imagine power cycling all the outlets in a server room - over and over and over!

Re:

[M. Baranczak]

A story I read once, no idea if it's true:

A mainframe at a university would shut down with no warning, usually a little after midnight, then a few minutes later power back up. Nobody could figure out why. Finally, some desperate grad students decided to sit and watch the computer in person and see what happens. And what they saw at the appointed hour was a janitor coming in and unplugging the power cord so he could plug in his vacuum cleaner.

Re:

[GameboyRMH]

My boss had the very same thing happen at a department store he used to work at, it's probably not that uncommon for places without a proper, secured server room.

Re:

[DriveDog]

Mine are a little different, and are true. Every morning for a week we came in to find the HP mini had crashed after midnight. Turned out that the A/C was on a circuit in common with another tenant, which was being shut off for some construction in the wee hours every morning. The mini would run for a while until overheating caused errors leading to a crash. There was an independent circular paper chart recorder, but I can't remember why it didn't lead us to suspect overheating. Maybe it was out of paper or

Re:

[cusco]

I can believe it. We have had quite a few customers who were irate at getting alarms in the middle of the night. More than once we've had to go back through the video record (and in one case set up a temporary recorder) and show them that it was the cleaning people using a brass key instead of the keycard they had been issued.

Re:

[nedlohs]

It also implies no one is usually there "a little after midnight", which doesn't match my university experience.

good thing Michael Crichton isn't alive to see thi

[Thud457]

Charlie Luther's [imdb.com] just getting started...

Re:

[dywolf]

Love that movie

Home Invasions?

[Kadagan AU]

How about turning off the lights of a house before the burglar or attacker invades? It could cause a lot more confusion and danger for the home owners.

Swatting

[PapayaSF]

"Hello, 911? I am trapped in my house at 123 Main St. by a gang of armed robbers. I'll blink a lamp to let you know a good time to break down the front door. I'm hiding under a bed, so shoot anyone else."

Re:

[plover]

I downloaded a home automation script for my Vera that flashes the front lights rapidly in case of emergency; and I can trigger it to signal the first responders. (It tests OK on a lamp, but I've never had an emergency requiring me to actually use it.)

Re:

[spire3661]

Honestly, its easier to just pull the meter.

or they can just clap to trun them back off

[Joe_Dragon]

or they can just clap to trun them back off

Teledildonics hacking?

[gestalt_n_pepper]

Say no more. Say no more...

Re:

[gestalt_n_pepper]

Says you! What a pain in the ass, eh?

Worst Case Scenario

[Anonymous Coward]

Forcing someone's DVR to record and play Jersey Shore.

Re:

[cerberusss]

Forcing someone's DVR to record and play Jersey Shore.

You'd do me a favor! I love to watch Jersey Shore!
*Looks at DVD collection*
Oh wait, that's Jersey Whore which I like so much. Sorry, my bad.

Money trap

[coldsalmon]

You could cause a poor person's electricity bill to increase so much that they cannot afford medical care, or the utility company cuts off their heat and they freeze to death.

Re:

[Latissimus]

Change the neighbors water heater set point. Do it over night and return to the original set point again in the morning when they might check it. Ramp it up / down over a few weeks just for fun. When the repair guy shows up, make an offer to buy the old one just to see if you can "fix" it.

Re:

[cusco]

Actually they'd probably get a visit from the SWAT team first. Utility companies are required to notify police of unexpectedly high electricity bills so that they can raid pot growing operations.

Re:

[GameboyRMH]

It's possible, say the device controls an electric water heater in a 3rd-world country where energy is ruinously expensive.

Subtlety.

[pla]

In the style of Bruce Schneier's movie-plot threat scenarios, what's the most nefarious use you can anticipate such remote outlet control being used for?

Turn off the fridge after the victim goes to work for the day, and turn it back on about an hour before they get home.

Repeat until they die... of Botulism! <Cue evil laugh>

Re:

[griffjon]

You laugh, but in Peace Corps I actually had a fridge whose thermostat controls were dead, so it operated at either full-blast (freezing everthing) or unplugged. I abused an x10 plug and a timing script run off a computer to cycle it on and off over the course of the day to regulate it. Never died!

I think the most nefarious thing would be to turn off automatic coffee-makers ~ 15 seconds after they'd started, so the grounds are soaked and warm (i.e. ruined*), and there's no coffee.

* For anyone who consider

Re:

[Scarletdown]

You laugh, but in Peace Corps I actually had a fridge whose thermostat controls were dead, so it operated at either full-blast (freezing everthing) or unplugged. I abused an x10 plug and a timing script run off a computer to cycle it on and off over the course of the day to regulate it. Never died!

I think the most nefarious thing would be to turn off automatic coffee-makers ~ 15 seconds after they'd started, so the grounds are soaked and warm (i.e. ruined*), and there's no coffee.

That would be grounds for fully justified homicide. No jury in the 1st World would convict.

Re:

[cloudmaster]

"Grounds"? So, after allowing the facts to percolate, there'd bean no chance of convection?

Re:

[drinkypoo]

That's a steep hill to climb, you're in hot water for sure.

Re:

[tlhIngan]

I think the most nefarious thing would be to turn off automatic coffee-makers ~ 15 seconds after they'd started, so the grounds are soaked and warm (i.e. ruined*), and there's no coffee.

* For anyone who considers having a automated coffee pot with grounds in it overnight not /already/ a ruined coffee experience, that is.

In an office, I'd set it so it'll shut off after 1 minute so there's half a cup of coffee in there.

Not only will there never be enough for a full cup, but the person who discovers it has to

WeMo vs. high current devices?

[userw014]

I just visited the WeMo web pages and couldn't find any technical information about what watt or amperage limits on it are.

I have a hard time believing that it can handle a 1500 watt heater.

Re:WeMo vs. high current devices?

[Scarletdown]

I just visited the WeMo web pages and couldn't find any technical information about what watt or amperage limits on it are.

I have a hard time believing that it can handle a 1500 watt heater.

1500... Would that be the definition of a WeMowatt? (Beware the sleeping lion tonight.)

Re:WeMo vs. high current devices?

[sconeu]

Would that be the definition of a WeMowatt? (Beware the sleeping lion tonight.)

Bravo, sir. You win the pun of the day award. I bow before your horrendous pun, and wish I had thought of it first.

Re:

[cwebster]

Relay switched, so your circuit breakers will be the limiting factor, not this switch.

Re:

[maeka]

Yea, because relays all can handle unlimited current.

Re:

[suutar]

true, but 1500 watts is only 12.5 amps at 120 volts; that's not a whole lot of current to switch.

Re:

[suutar]

ah, I hadn't realized the difference in load types made that much difference to the relay. Thanks :)

Re:

[BeerCat]

...and you know that any electrical device, including a relay, has an upper limit on its power capacity...right?

So you get a relay to power the relay to power the device!

It's relays all the way down

Re:

[DarwinSurvivor]

Sounds like it connects to a server somewheres (probably owned or at least controlled by the WeMo company). I would never buy a home automation system that uplinks to hardware I don't own and control.

murder.

[nblender]

A suicidal performance artist using it to have himself anonymously murdered.

Late for work

[butabozuhi]

Turn off a co-worker's alarm before a big event. Nasty.

Re:

[Obfuscant]

Turn off a co-worker's alarm before a big event. Nasty.

If your co-worker has his alarm clock on a switched outlet of any kind, that says a lot about the level of intelligence your company requires for people doing your job.

Re:

[DriveDog]

I guess we have low standards, then. My radio is switched by a wall module controlled by an X10 clock. And yes, I realize that anyone could plug an X10 transmitter into my outdoor socket and wake me up with the radio anytime they wanted or flash the lights.

So the flaw in home automation products

[TheSkepticalOptimist]

...is that homes often house stupid people.

Asimo dropping a toaster into a bathtub

[kawabago]

Asimo killing his human master by dropping a toaster into his bathwater.

Re:

[PopeRatzo]

This could be dangerous.

Suppose someone were to turn on the power remotely to the leads connected to our cast-iron bathtub when my wife takes her bath at approximately 9pm (CST) every night. Suppose this happened tomorrow when I'm out bowling.

It could be tragic! Despite my having taken out a $1.5million life insurance policy for her, I'm not sure I could go on (though I know she'd want me to).

Re:

[BeerCat]

Absolutely tragic. Now what was the IP of your home automation again...

Of course, I wouldn't dream of using that information in the wrong way, so there'd be no possible harm in posting the info.

For everyone else. You mean they can see this? Ooops. :-)

Re:

[Attila Dimedici]

That reminds me of this story: http://sarcasticsarcasms.blogspot.com/2013/01/sowas-it-murder.html?spref=fb [blogspot.com] The story is not true, but is an interesting hypothetical.

Re:

[snspdaarf]

I see you have also noticed the new waitress at the coffee shop; the blonde with the big knocks.

Re:

[GameboyRMH]

Would only work if he's AC-powered and has a cord trailing behind him...

Older than dirt.

[westlake]

An early episode of "Perry Mason" (ca 1959) turned on the use of an R/C device to manipulate an antiquated gas space heater, establishing an alibi for the killing.

When the inventor of the gadget became a plausible suspect, Mason had the gas line inspected for undocumented repairs. In the end, that made it obvious the real killer had to be the first one to discover the body --- giving himself enough time to remove the device and cover his tracks.

Re:

[wonkey_monkey]

Hey, spoiler alert, jeez.

Belkins actually advertising it for this

[Charliemopps]

Belkins actually advertising it for the very purpose they're worried about:
http://belkinwemo.tumblr.com/post/32629402162/did-i-turn-it-off-i-must-have-turned-it-off-did [tumblr.com]

Plug in dangerous things so you can be sure their turned off by checking your phone.

Airconditioning Unit

[BoRegardless]

Cycling an air conditioner quickly can do bad things quickly if the air conditioner itself doesn't have modern controls to limit power cycling. That can get very expensive, though I don't necessarily think it is dangerous.

Re:

[Frank T. Lofaro Jr.]

Any air conditioner without both overload trips and compressor short cycling protection is almost certain to be dead of old age already..

People *will* die

[Jeff Carr]

Most nefarious use? Turning off the coffee pot in the morning.

Re:

[Nefarious Wheel]

Wheels. I vote for controlling wheels.

Home Automation, "Convenience"...

[Sir_Eptishous]

Home Automation apologists, flame away!

I think things like this are the tip of an emerging ice berg relating to the ip-ification of everything:

• You haven't upgraded the firmware in your garage door opener?
  • Did you properly set permissions on your gas furnace?
    • Which version of the HomeSafe *nix Kernel are you running in your UPnP'd entertainment system?

    etc; etc;
    
    To me, all Home Automation does is increase complexity and security risks for some specious conveniences.
    Maybe it's just me, but I would rather have to remember that I'm out of Mayo, than have an ip'd fridge send a message to my Android that I need to pick it up at the store.

Re:

[Spamalope]

• You haven't upgraded the firmware in your garage door opener?

You're forgetting all of the 'product enhancement' opportunities with selling a defective but update-able product!

There is an active security exploit you better update right away. Thieves are driving through neighborhoods opening garage doors to steal everything right now! Click 'I Agree *' or we'll block your install!

* By installing this update you agree that we can play doubleclick advertisements via the included loudspeaker each time the door is triggered. Your home entry and exist times will be log

evil?

[pbjones]

turning their computer off before they save a document, then turning it back on, so they blame Windoze.

Worst thing: Synchronize them!

[Avidiax]

1. Root these devices, and synchronize their clocks
2. Turn them all off
3. Monitor the power network for a temporary increase in voltage (since load was suddenly shed)
4. Just as the voltage gets back to normal, turn all the devices on.
5. Watch the power network for a temporary decrease in voltage (since load was suddenly added)
6. Just as the voltage gets back to normal, turn all the devices off.
7. Once you have found the resonant frequency of corrections to the electrical grid, tell all the devices to cycle at that frequency.
8. If there is enough load handled by these devices, the system may oscillate so heavily that voltage is far outside of normal, causing overheating or fires (either too high voltage for resistive loads or too low voltage for inductive loads), excessive vibration, design parameter excursions, etc.

Re:

[suutar]

ah, there we go, true movie-plot scale thinking. Bravo!

Thoughtful design--

[sillivalley]

I've been using home automation since the 80's (damn, that's a long time ago) in the dark ages of X10.
As with many systems, there are some important questions to keep in mind:
Does this system or particular controlled device have benign failure modes? The answer better be "Yes!"
How do I secure access to the system? (Hint: don't connect it directly to the Internet!)
Does this system have a master OFF switch and easily useable manual controls? (Think COLOSSUS Forbin Project - again, the answer better be "Y

On a server with an HD?

[hedley]

There I was, deep in dreamland one night when, from my server room I heard a faint beeping noise at regular intervals... Groggy, I wake up, totter over to the 'server room' door (spare bedroom) and have a gander. In a groggy state it took me a moment in the dark to perceive what was going on, the APC UPS was power cycling the server and other ancillary items at a regular interval, turns out, when the battery goes south, the UPC just crowbars the AC and reboots (repeat...). Now, HD's were connected to the se

Playing with people's minds is fun

[TheSeatOfMyPants]

I'm assuming one room with at least 2 WeMos for simplicity's sake... As preparation, I'd have to place wireless cameras at the windows and make sure I can see every angle from my Base Of Evil Operations.

I'd let the lights behave normally for about the first 10 minutes they're turned on with somebody in the room, then make one "flicker" (like an electrical issue might cause) and shut off. Wait for the person to approach the light, turn that WeMo back on, wait for them to head back to wherever they were at,

Worst?

[snspdaarf]

Remotely turn off the fence so the raptors can get out.

Assisted care system

[mattr]

I was thinking of making a system that would allow an aged family member to call for help to the other family members by simply shouting, for example if he had a bad fall and couldn't get up. The system would also tell him the time also vocally, could initiate a skype call, etc.
I have actually seen a product by a European startup that is designed to do something similar (I believe you knock on a wall..)
Such home systems to care for the aged would be hosed.

Let's not forget LED Lighting

[Jedi Holocron]

a large inrush current (such as a motor)

LED Lighting and the divers that run them have a significantly larger inrush current than incandescent lighting ( http://ledsmagazine.com/features/9/3/7/EcosystemFig3 [ledsmagazine.com] ). I'd be more concerned about that than a motor.

This "feature" of LED lighting was not something that was initially taken into account.

Gain control of tens of thousands in the city

[Quila]

Wait until normal peak usage, turn everything off for a bit and keep it off, then turn everything on at the same time. Collapse the grid.

Outlet Pranks 101

[jtara]

Ah, takes me back to High School.

I went to a special (no jokes, please!) city-wide high school (Cass Tech, in Detroit) in the 70's, way before the trend toward this sort of thing. (Cass Tech was actually established in the 1920's, in coopertion with the auto industry.) I had 8 sememters of Electronics in high school.

One of my classes was taught by Walter Downs, also known for some reason by his students as "Wally Gator". (A popular TV cartoon character at the time.) Wally ... er, Walter... was from Baltimor

Bluetooth Operated Dildos

[Sigg3.net]

I rest my case.

Re:

[aevan]

*misreads as red-head

Well..the topic is 'plug and play'

Re:

[Nerdfest]

I'm pretty sure that was not one of Bruce Schneier's movie plots ... at least not one he wrote down.

Re:

[Joe_Dragon]

and some may come over and thing it's that odd looking power strip must of gone bad and is cutting in and out.

Re:Creating Paranormal Activities!

[plover]

Yes, there's probably someone out there who won't realize their appliances are online, and then these devices start doing things on their own all of a sudden. It will be ghosts, goblins, shenanigans, and lulz for all.

One day at noon a few months ago, my wife was in our kitchen watching a TV show about paranormal activity of some sort or other. At the same time, being unaware that she had gone home for lunch, I was demonstrating my home automation setup to a co-worker by flicking the kitchen lights on and off from my phone.

She is so cool. She immediately assumed I was playing with the home automation. The thought of it being ghosts synchronized with the TV show simply amused her.

I married well.

Re:

[airdweller]

"She is so cool. She immediately assumed I was playing with the home automation. The thought of it being ghosts synchronized with the TV show simply amused her.
I married well."

Yeah, rub it in harder, will you?

Re:

[Nefarious Wheel]

"She is so cool. She immediately assumed I was playing with the home automation. The thought of it being ghosts synchronized with the TV show simply amused her.
I married well."

Yeah, rub it in harder, will you?

My wife's a programmer.

Re:Creating Paranormal Activities!

[adolf]

My wife's a programmer.

All wives are programmers.

Re:

[naroom]

All wives are programmers.

Programmer?!

I hardly know her!

Re:

[cusco]

Some just have more difficult systems to work with than others.

Re:

[hurfy]

How about:
The relay or relay contacts on this gadget give out.

Re:

[zootbar]

How about turning on the lights in the USPTO so they can see what they are doing.

I kind of fail to see how that would change anything.

Re:

[zootbar]

How about turning on the lights in the USPTO so they can see what they are doing.

I kind of fail to see how that would change anything.

And maybe I should read the post properly before replying. True indeed.

Re:

[snspdaarf]

Um, Peace Corps.

Re:

[DriveDog]

Ah... using the flashing LEDs to give instructions to Asimo to execute.