WeMo smart home devices can be used to spy on Android phones

By now, I’m sure we’re all familiar with the infamously insecure Internet of Things (IoT).

If it isn’t routers, web cameras and maybe even printers feeding into the Mirai botnet – the malware that delivered the most powerful distributed denial of service (DDoS) attack in recent history – then it’s a home automation kit from WeMo that could have let attackers get at its Android app and spy on phones.

Belkin has already issued a firmware update to fix the vulnerability.

But the bug finders – Invincea Lab researchers Scott Tenaglia and Joe Tanen – told Forbes that it’s possible to completely kill the update process on already infected devices, meaning that no fix can ever be delivered.

They’re planning to talk about that hack at Black Hat Europe in London this week.

They’ll also be detailing another vulnerability: an old-school SQL injection bug in WeMo remote management interfaces that could lead to getting root – as in, near-total control – of a device.

SQL injection is a popular technique for attacking websites. In this case, the website isn’t on some server somewhere out on the internet but is, rather, an interface provided by the device that allows users to control it (your router probably works the same way).

SQL injection is a very common and very serious form of attack that just refuses to die.

The databases targeted by the SQL injection attack contain rules that control the home automation devices, such as when to turn off a crockpot or specifying that a motion detector device turn on the lights between sunset and sunrise.

The researchers’ talk, scheduled for Friday, is titled Breaking BHAD: Abusing Belkin Home Automation Devices.

They said that the hacks are possible thanks to “vulnerabilities in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DoS attacks without rooting the device”.

The WeMo app lets the user assign names to their devices. Before the vulnerability was fixed, the researchers said an attacker on the same network could change that device name to include malicious JavaScript code.

Tenaglia gave ComputerWorld’s SecurityWeek this attack scenario:

The attacker emulates a WeMo device with a specially crafted name and follows the victim to a coffee shop.

When they both connect to the same WiFi, the WeMo app automatically queries the network for WeMo gadgets, and when it finds the malicious device set up by the attacker, the code inserted into the name field is executed on the victim’s smartphone.

Invincea Labs first reported the flaws to Belkin on 11 August. Belkin responded the same day and confirmed the vulnerabilities, Tenaglia told eWEEK.

The firmware update for the SQL injection vulnerability went live on Tuesday, said Leah Polk of Belkin. She told Forbes:

Users will see a firmware update notification when they open their app.

We’ve heard about WeMo device vulnerabilities before. In February 2014, IOactive reported that the Belkin devices could be remotely commandeered using the firmware update mechanism.

The day after the news came out, Belkin responded by saying that the issues had already been fixed.

This is one more example of how IoT insecurity so often amounts to vendors not treating their things sufficiently like computers.

Belkin has reacted swiftly to address vulnerabilities, but in this day and age, should we still be confronted with familiar and easily prevented flaws such as SQL injection?

Here once again is a summary of Chester Wisniewski’s take on what’s needed to secure the IoT, from his article about debunking some Mirai botnet myths:

What’s needed is industry standards and best practices, including thoroughly testing devices for security issues before shipping them to consumers, abiding by best practices and making sure that there is a clear mechanism for patching bugs – and that mechanism must include notifying the owner of the device.