Anti-Malware , DDoS , DDoS Attacks

Researchers' Belkin Home Automation Hacks Show IoT Risks

Numerous Flaws Trace to IoT Software Stacks that Aren't Secure by Design
Researchers' Belkin Home Automation Hacks Show IoT Risks
Invincea Labs researchers Joe Tanen (hardware guy) and Scott Tenaglia (software guy). Photo: Mathew Schwartz

As if the internet of things didn't seem secure enough, now we have to worry about apps on our smartphones posing a risk too.

See Also: Three and a Half Crimeware Trends to Watch in 2017

That's just one of the takeaways from the discovery of two zero-day vulnerabilities and one hardware-bypass flaw - now patched - in Belkin's WeMo line of home automation products. The flaws, and how to exploit them, were demonstrated Nov. 4 at Black Hat Europe by two researchers from endpoint security software firm Invincea, in a presentation titled: Breaking Bhad: Abusing Belkin Home Automation Devices.

Belkin bills its WeMo apps as being "designed to address simple automation needs without the hassle or expense of whole home automation." Compatible products include everything from "smart" LED light bulbs, power switches and baby video monitors to coffeemakers, slow cookers and heating controls. In November 2015, Belkin reported that 2.5 million devices using their technology were in the market.

But security researchers Joe Tanen and Scott Tenaglia of Invincea Labs found two zero-day flaws involving WeMo products. The first is a SQL injection vulnerability in the SQLite database used by the firmware. The flaw can be remotely exploited to seize control of the device. By exploiting the flaw, remote attackers could then do anything they want with it. That would include infecting the devices with malware, such as Mirai, to turn the device into a distributed denial-of-service attack launch pad.

The second zero-day vulnerability involves a code injection flaw - via cross-site scripting - in the WeMo app for Android. The researchers say they were not able to get a related attack against the iOS app to succeed.

Using the WeMo app, users can create rules, for example, to turn on lights at a specific time of day or when the app - via the smartphone's GPS functionality - registers that they're a quarter-mile from home. But the researchers found that they were able to suborn a function called FriendlyName. It allows users to rename their WeMo devices, for example, to label power switches for lamps as "kitchen" or "living room," to make them easier to manage via the WeMo app.

By changing a FriendlyName name to a malicious string of text, however, the researchers found that they could use Belkin WeMo devices to hack into any Android apps to which the devices connect. But when accessing the apps, the researchers gained access to everything that the app - by default - is able to access, including photos and GPS coordinates. Users can disable those defaults, but the researchers question how many would have done so.

Belkin has confirmed the flaws and says it's grateful to Invincea for flagging them.

"Working with researchers like them is an important part of our security process," spokeswoman Leah Polk tells Information Security Media Group. "We always do our best to address any potential vulnerabilities as soon as we possibly can to ensure our devices remain safe to use."

The researchers could inject arbitrary code by changing WeMo devices names.

Second-Order Effects

Having insecure IoT devices that can be turned into DDoS launch pads or spam cannons is one problem, and it's unfortunately quite common, as the Mirai malware has highlighted. But having an IoT-related app be vulnerable to attack by IoT devices is a "second-order effect," Tenaglia says. "Why is it the case that I can do something to your device to turn it into a GPS tracker? Do we want to choose between a secure phone and a remote-controlled crockpot?"

The repercussions are extensive. As Tenaglia said during his talk, after demonstrating how the flaw could be exploited: "I've just turned your phone into a GPS tracker because your IoT's app was kind of insecure."

The researchers say that the apps could likely also be hacked by attackers on the same local network, for example, at a coffee shop if attackers were using a WeMo emulation app on their laptop, although that has yet to be tested. "All the communication with WeMo devices are unencrypted and unauthenticated when you're on the local network," Tenaglia says.

During their Black Hat Europe talk, the researchers also demonstrated a hardware authentication bypass technique that they discovered, although they noted that it requires having physical access to the device. Even so, enterprising cybercriminals could buy a WeMo device, exploit it to gain root access, then use the hacked device to more easily test any exploits they build.

"It's a lot easier to hack a white box than a black box," Tenan says.

Belkin: Better Than Many

The Invincea researchers say that when it comes to IoT device manufacturers, Belkin takes security relatively seriously. They note that after submitting a private vulnerability report to Belkin on Aug. 11, Belkin verified the zero-day flaws the same day, noting, too, that they existed in even newer versions of the firmware than those to which the researchers had access. The company then released an updated version of its Android app to patch the code injection vulnerability on Sept. 1 and on Nov. 1 released updated firmware to fix the other zero-day flaw.

Belkin says that it remediated the flaws as quickly as possible, to block related attack vectors, but believes that these flaws posed a low real-world risk to users. "We don't believe these latest vulnerabilities presented a major threat, largely because they were both addressed before the researcher's findings were released, and the actual likelihood of someone being able to execute this in a real-life situation is extremely small," Polk says. "It would essentially require someone to target a WeMo user that is running old firmware and then get access to their local area network at the same time in order to run malicious code."

One ongoing IoT challenge is that many manufacturers don't release firmware updates for devices, or don't get them into users' hands.

Belkin declined to detail how many WeMo-compatible devices are in the market or share a breakdown by firmware version. But the company says users do receive update notifications. "When we launch new firmware, a notification pops up when you open the WeMo app to alert users to a new firmware and prompt them to install," Polk says.

The Internet of Hackable Things

Invincea's Tenaglia, speaking after the demonstration, says another endemic IoT security problem is that device manufacturers tend to build on open source, Linux-based software stacks because they're free. One challenge, however, is that many organizations fail to consider how these software stacks - and not just their own, custom-developed app code - might need to be locked down.

"So we need to start thinking about the entire software stack that IoT is based on not just the stuff that we write - I think that's an important takeaway from this exercise," Tenaglia says.

Using such software securely requires security smarts, and not all developers are information security experts.


Invincea Labs researchers Joe Tanen (right) and then Scott Tenaglia (left) detail some of the security challenges of using open source firmware for IoT such as Linux-based OpenWrt, which Belkin WeMo devices employ.

Efforts are underway to build more secure IoT operating systems, for example, in the form of Google's Brillo OS and Weave platform for IoT development. But those efforts have yet to come to full fruition. And in the meantime, new IoT devices from numerous manufacturers are being churned out by the millions.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network