Boffins turn phone into tracker by abusing pairing with – that's right – IoT kit
Security researchers exploit vulns in Belkin home automation product
Black Hat EU Security researchers have worked out how to hack into a smartphone and turn it into a tracking device by abusing its pairing with a Belkin home automation device.
Joe Tanen and Scott Tenaglia of Invincea Labs were able to root a WeMo device before injecting code into the WeMo Android app from a compromised WeMo device. The attack, which involved using an IoT device to hack into a phone, involved abusing normal functionality in order to exploit the app, the researchers explained during a presentation at Black Hat Europe on Friday.
Vulnerabilities in both the device and the Android app can be abused to obtain a root shell on the device, before running arbitrary code on the phone paired with it. The same approach might be used to crash the device, and launch DoS attacks without rooting it.
"We were able to turn your phone into a GPS tracker because your IoT kit is kinda insecure," Tenaglia explained.
The talk – entitled Breaking BHAD: Abusing Belkin Home Automation Devices – also covered details of heap overflow, SQL injection, and code injection zero days, as well as their associated exploits. These various flaws were resolved by a recent update from Belkin.
The researchers credited Belkin with taking security far more seriously than most IoT vendors by responding to security research and developing a patching process.
In 2013 and 2014, several high-profile vulnerabilities were found in Belkin's WeMo line of home automation devices. Belkin not only patched most of those vulnerabilities, but also maintains a very regular update cycle, which "makes them one of the more responsive players in the IoT space", according to the Invincea Labs duo.
El Reg approached Belkin for comment on the research but is yet to hear back anything substantive. We'll update this story as and when we hear more.
In a statement, Belkin said it worked with the researchers to adress security flaws in the WeMo devices, the significance of which it downplayed.
"We were able to issue a fix for the first Android App issue almost immediately, and then just recently released the firmware patch for the SQL Injection vulnerability on Nov. 1. Both of these fixes address all of the vulnerabilities reported by Invincea.
"We don’t believe these latest vulnerabilities presented a major threat, largely because they were both addressed before the researcher’s findings were released, and the actual likelihood of someone being able to execute this in a real life situation is extremely small. It would essentially require someone to target a Wemo user that is running old firmware and then get access to their local area network at the same time in order to run malicious code. That said, we did address both of them ASAP to ensure that no one could exploit these particular issues."
The SQL injection vulnerability was patched as of 1 November in WeMo firmware versions 10884 or 10885, depending on the device.
More info on the various issues uncovered by the Invincea team can be found in a blog post here. ®