Another day, another Internet of Things (IoT) security problem. This time Belkin, a company that’s been called out before for vulnerable home automation kit, has issued a firmware update that will prevent old school attacks on its WeMo kit that could have let malicious hackers haunt not just customers’ homes, but their Android smartphones too.
A SQL injection vulnerability is present in Belkin’s WeMo home automation firmware that could allow a third party with local access to a network to gain root access to devices such as light switches, light bulbs, security cameras and coffee makers. Researchers at Invincea Labs, who discovered the vulnerability, also warn of a related vulnerability tied to the WeMo Android app used to control the home automation devices. The flaw allows a third party to inject and execute. WeMo Android app used to control the home automation devices. The flaw all arbitrary JavaScript.
FLAWS:
- The first flaw is a SQL injection vulnerability. An attacker could remotely exploit the bug and inject data into the same databases that WeMo devices use to remember rules, such as turning off a crock-pot at a specific time or having a motion detector only turn on the lights between sunset and sunrise.
- As for the second vulnerability, an attacker could force a WeMo device to infect an Android smartphone via the WeMo app. Belkin fixed the Android app vulnerability in August; a Belkin spokesperson pointed to a statement issued after Tenaglia’s Breaking BHAD talk at the Security of Things Forum.
It is unclear how many WeMo products are vulnerable to this type of attack. But, according to Invincea Labs, Belkin had 1.5 million home automation products in use as of 2015. To exploit this vulnerability, an attacker would first have to compromise a home PC and then leverage the shared network to move malicious code from the infected PC to the WeMo device’s firmware. “The goal of the attacker is to hop from one device – a PC that can be later disinfected – to another device that can’t be protected – such as an IoT device,” Tenaglia said. “Once the attacker has access to the IoT device they can do whatever they want from downloading Mirai-type malware for creating a botnet or just control the device in question. They can also infect or re-infect any PC on the same network with malware of their choice.”
Belkin reportedly fixed the SQL injection flaw via a firmware update pushed out yesterday. The app doesn’t show an update since Oct. 11, but opening the app shows new firmware is available. If you don’t update and weird stuff starts happening at home, then it’s likely your home is not suddenly haunted, more like your WeMo stuff has been hacked. If you have not updated the Android app or the firmware on your WeMo devices, then you better get on it.
