They don't have externally exposed IP address. They connect to the mother ship via NAT and uPNP and the connection is guarded by your router. And, they are too much resource limited to do any actual harm.
You have misinterpreted what I meant by IP address. I mean public or private IP address.
Regardless of how a individual IoT node, sensor, or device connects to the Internet, if it has to directly connect to the Internet or a cloud provider to function or setup, this device individually is responsible for full implementation of all of the layers of the OSI model that allow for communication to the Internet: a full network stack.
On the other hand Relays, switches, sensors, and like using protocols such as zwave, insteon, x10, LoRa, old Zigbee which all
require the base station to function take a different approach: no Internet connection. There’s no risk of an outside attacker gaining control over a device that never implemented a IP network stack. This device alone will never have any possible remote vulnerability. The standards it implements were written as a standard, and they all adhere to the standard. For example zwave communicates in the 900MHz spectrum and doesn’t need any Wi-Fi.
Their implementation for remote control is not local to the hardware - like Belkin’s switch.
Non “IP networked” iot devices instead are managed by a single node- a base station - that is
potentially but not necessarily connected to the internet, which is subsequently the only way to access the IoT switch, sensor, or node outside of the home. It acts as a gatekeeper, a single node on your private IP Network, instead of many. I have 40 dumb IoT devices that are running off of one base station, so my up to date HP Enterprise Router, with the most current security update, routing table has 8 devices total: my Iot hub, my printer, my iPhone, Surface Duo, iPad, my three PCs. All of these are also still up to date with security updates and still fully supported.
The difference here is massive. Wi-Fi devices have the disadvantage that in order to be compatible with your router, and join a W-Fi network, they must each individually implement the same technology as a computer or smartphone.
There is my problem. I am skeptical of all IoT switches, sensors, etc that require any kind of communication from the single node, to the internet to function. While this may not be a major concern for you, the issue here is that it is a vulnerability that will not be addressed, ever. Wi-Fi is a band-aid solution for making a home users’ IoT experience more accessible and familiar. It was never designed for this type of application and does poorly at it too.
Since the attack doesn’t have to be local to a network to be a threat, it might be a distant possibility.
If I stick solely to devices that all do not have the Internet requirement, and manage it with a supported, easily updated, easy to upgrade base station, then only one device would be able to ever be compromised.
sternumiot.com
These are the words people use when they really have NO idea if something is possible or not, want to present the information as “scary enough to forward to others” without getting into legal trouble. What they desire MORE than anything else, is for more people to know the name of their security company, that’s it. Without having done ANY kind of assessment of the Wemo Cloud, it’s irresponsible for them to say that something (which may be internally remediated 9 ways to Sunday) COULD happen.
