Pierluigi Paganini
November 06, 2016
Belkin’s WeMo home automation firmware that’s in use in its light bulbs, switches, security cameras, coffee makers and room heaters has recently been found vulnerable to an SQL injection.
The hack allows root privileges to a third party, which already has access to the devices’ local network.
Researchers at Virginia based Invincea Labs discovered the vulnerability and also warned of a related knock on exploit path which allows for compromise of the Android device used to control the Belkin home automation systems.
The flaw exploits a weakness in field validation by allowing a threat actor to inject malicious JavaScript via the device name field.
Scott Tenaglia, Research Director at Invincea stated that the flaws were previously unknown and not linked to earlier flaws in the WeMo home automation products.
Invincea Labs privately disclosed the flaws on Thursday the 11th of August with Belkin publicly announcing the vulnerability the next day.
On September the 1st, Belkin released a patch, which remedied the code injection vulnerability on the Android app. A further patch was released by Belkin to fix the WeMo appliances on November the 1st
It’s unknown how many WeMo products are vulnerable to this particular weakness, however, in 2015 it was reported that Belkin WeMo had approximately 1.5 million products in use.
Researchers at Invincea stated that every one of their devices that allow for remote control or administration is vulnerable to the attack.
In order to exploit this particular set of vulnerabilities, a malicious actor would first have to gain access to the local network where the smart devices were located. They would then have to leverage the shared network infrastructure in order to move the malicious code from their entry point to the vulnerable devices.
According to Tenaglia “The goal of the attacker is to hop from one device – a PC that can be later disinfected – to another device that can’t be protected – such as an IoT device,”. He then went on to explain, “Once the attacker has access to the IoT device they can do whatever they want from downloading Mirai-type malware for creating a botnet or just control the device in question. They can also infect or re-infect any PC on the same network with malware of their choice.”
Invincea Labs tested their concept by infecting a WeMo device with a malicious PowerShell script and from there open a telnet connection on the device and have it supply a root shell to requesters.
Tenaglia also stated that once infected the device could be configured to deny requests to patch the system and default setting reset attempts unless patched with the recently released firmware update.
Once the access had been granted the researchers found that the attack could progress to target Android devices running the WeMo app used to control the home automation devices.
“This is the first time anyone has discovered a way for IoT devices to hack your phone”, according to Tenaglia.
The vulnerability affects devices by placing unsanitized JavaScript into the name fields of the device, instead of only being recognized as a string the malicious code is executed instead.
“Every WeMo device can be assigned a name. What we found is you can set the name property in the device to a malicious string. The malicious string contains JavaScript code. And when the Android app requests the name of the devices it needs to connect to, it will download the malicious JavaScript code that is the name of the device, and execute the code,”
Utilizing the hack in the lab environment Tenaglia reported that they were able to both access the photo gallery on the phone as well as activate the GPS beaconing system, allowing third parties to track and locate the device.
“All this hack allows us to do is run code in the context of the WeMo app. We do not have root access to the phone,” Tenaglia said. Furthermore, access to the Android device is limited to only when the app is active or running in memory on the phone. Once the WeMo remote app is shut down, access is terminated. “What we have is an in-memory infection. The code does not persist on the phone when you force quit the app. However the name of the device is still that malicious string. So when you connect to that device again the reinfection occurs,”
Written by: Steven Boyd
Steven is a security consultant, researcher, ethical hacker and freelance writer with over 16 years of experience in the industry. He has provided security consultancy to some of the world’s biggest banks, the private sector as well as public services and defense. He is the owner and creator of security blog www.CybrViews.com.
Twitter: @CybrViews
[adrotate banner=”9″]
(Security Affairs – Belkin WEMO , hacking)
