A SQL injection vulnerability is present in Belkin’s WeMo home automation firmware that could allow a third party with local access to a network to gain root access to devices such as light switches, lightbulbs, security cameras and coffee makers.
Scott Tenaglia, research director at Invincea Labs, says the vulnerabilities were previously unknown and unrelated to earlier flaws found in Belkin’s WeMo home automation products. Tenaglia is scheduled Friday to deliver a talk Black Hat Europe called Breaking BHAD: Abusing Belkin Home Automation Devices.
The vulnerability was privately disclosed on Aug. 11 and confirmed the next day by Belkin. On Sept. 1, Belkin released a patch for the Android app fixing the code injection vulnerability. Belkin told Threatpost on Tuesday that firmware addressing the SQL Injection vulnerability will be released this afternoon.
It’s unclear how many WeMo products are vulnerable to this type of attack. But, according to Invincea Labs, Belkin had 1.5 million home automation products in use as of 2015. Invincea Labs said any one of those devices that can be controlled or managed remotely are vulnerable to the SQL injection attack.
“The goal of the attacker is to hop from one device – a PC that can be later disinfected – to another device that can’t be protected – such as an IoT device,” Tenaglia said. “Once the attacker has access to the IoT device they can do whatever they want from downloading Mirai-type malware for creating a botnet or just control the device in question. They can also infect or re-infect any PC on the same network with malware of their choice.”
In a proof-of-concept attack, Invincea Labs infected the targeted WeMo device’s OpenWRT firmware by putting a file on the device’s file system that included a PowerShell script. With that type of access, researchers were able to open telnet services on the WeMo device and have it auto-log any connection into a root shell giving a third party administrative access to the WeMo device.
The vulnerability, according to Tenaglia, could also allow an attacker to configure WeMo devices to reject any patches and commands to reset devices to their factory default settings. However, Tenaglia told Threatpost, Belkin’s upcoming firmware update would remove any malicious code on an infected device’s firmware.
With that type of access to WeMo devices, Invincea Labs said the attack could easily be escalated to target Android devices running the WeMo app used to manage and control the home automation devices remotely.
“This is the first time anyone has discovered a way for IoT devices to hack into your phone,” Tenaglia said.
In one proof of concept, researchers were able to download the Android phone’s entire gallery of pictures and videos. A second hack allowed researchers to turn on the Android phone’s GPS beaconing system in order to track the user’s whereabouts.
“All this hack allows us to do is run code in the context of the WeMo app. We do not have root access to the phone,” Tenaglia said. Furthermore, access to the Android device is limited to only when the app is active or running in memory on the phone. Once the WeMo remote app is shut down, access is terminated.
“What we have is an in-memory infection. The code does not persist on the phone when you force quit the app. However the name of the device is still that malicious string. So when you connect to that device again the reinfection occurs,” Tenaglia said.