Well this is just peachy – your WeMo devices can attack your Android phone.
On November 4, Joe Tanen and Scott Tenaglia, security researchers at Invincea Labs, will show you how to root a Belkin WeMo device and then inject code into the WeMo Android app from a WeMo device. They added, “That's right, we will show you how to make your IoT hack your phone.”
Between 100,000 to 500,000 people should be paying attention, since Google Play says that is how many installs the Android WeMo app has. Everyone else should take note that this is a first, even for the insecure murky IoT waters.
“In the past, people may not have been concerned if there were vulnerabilities with their internet-connected lighting or crockpot, but now that we’ve discovered that bugs in IoT systems can impact their smartphones, people will pay a bit more attention,” Tenaglia told Dark Reading. “It’s the first case that we’ve found that an insecure IoT device could be used to run malicious code inside a phone.”
The duo’s talk, “Breaking BHAD: Abusing Belkin Home Automation Devices,” will be presented at Black Hat Europe in London. They said the hack is possible thanks to “multiple vulnerabilities in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DoS attacks without rooting the device.”
The first flaw is a SQL injection vulnerability. An attacker could remotely exploit the bug and inject data into the same databases that WeMo devices use to remember rules, such as turning off a crockpot at a specific time or having a motion detector only turn on the lights between sunset and sunrise.
The researchers warned that if an attacker has access to an Android phone with the WeMo app installed, then commands can be sent to vulnerable WeMo devices to execute “commands with root privileges, and potentially install IoT malware that results in the device becoming part of a botnet, such as the notorious Mirai botnet.” Also according to SecurityWeek, if an attacker gets root access to a WeMo device, then the attacker actually has “more privileges than a legitimate user.”
The researchers said the malware can be removed with a firmware update, as long as the attacker doesn’t interrupt the update process and stop the user from regaining access to their device. If that were to occur, then you might as well trash the device...unless you want a hacker to be in control of your lights, any appliances plugged into WeMo switches, Wi-Fi cameras, baby monitors, coffeemakers, or any of the other WeMo products. WeMo also works with Nest thermostats, Amazon Echo and more, including WeMo Maker which allows people to control sprinklers and other products via the WeMo app and IFTTT (If This Then That).
Belkin reportedly fixed the SQL injection flaw via a firmware update pushed out yesterday. The app doesn’t show an update since Oct. 11, but opening the app shows new firmware is available. If you don’t update and weird stuff starts happening at home, then it’s likely your home is not suddenly haunted…more like your WeMo stuff has been hacked.
As for the second vulnerability, an attacker could force a WeMo device to infect an Android smartphone via the WeMo app. Belkin fixed the Android app vulnerability in August; a Belkin spokesperson pointed to a statement issued after Tenaglia’s Breaking BHAD talk at the Security of Things Forum.
Before the app flaw was fixed, the researchers said an attacker on the same network could use malicious JavaScript to change the name of the device displayed in the app; you would no longer see the “friendly” name you gave the device.
Tenaglia gave SecurityWeek the following attack scenario:
The attacker emulates a WeMo device with a specially crafted name and follows the victim to a coffee shop. When they both connect to the same Wi-Fi, the WeMo app automatically queries the network for WeMo gadgets, and when it finds the malicious device set up by the attacker, the code inserted into the name field is executed on the victim’s smartphone.
That same attack, the researchers told Forbes, would mean that “as long as the app was running (or in the background) the code could be used to track the location of the Belkin customer and siphon off all their photos, returning the data to a remote server belonging to the hacker.”
If you have not updated the Android app or the firmware on your WeMo devices, then you better get on it.