That’s basically what experts at IOActive found is the case with Belkin‘s We Mo family of home automation devices.
According to research released today, multiple vulnerabilities in these We Mo Home Automation tools give malicious hackers the ability to remotely control the devices over the Internet, perform malicious firmware updates, and access an internal home network.
But poking a hole in your network to accommodate remote access to NAS systems can endanger your internal network and data if and when new vulnerabilities are discovered in these devices.
From IOActive’s advisory (PDF): The Belkin We Mo firmware images that are used to update the devices are signed with public key encryption to protect against unauthorised modifications.
However, the signing key and password are leaked on the firmware that is already installed on the devices.
But things get dicier when users enable remote administration capability on these powerful devices, which is where this malware comes in.
The worm — dubbed “The Moon” — bypasses the username and password prompt on affected devices.