Security researchers exploit vulns in Belkin home automation product
Black Hat EU Security researchers have worked out how to hack into a smartphone and turn it into a tracking device by abusing its pairing with a Belkin home automation device.
Joe Tanen and Scott Tenaglia of Invincea Labs were able to root a WeMo device before injecting code into the WeMo Android app from a compromised WeMo device. The attack, which involved using an IoT device to hack into a phone, involved abusing normal functionality in order to exploit the app, the researchers explained during a presentation at Black Hat Europe on Friday.
Vulnerabilities in both the device and the Android app can be abused to obtain a root shell on the device, before running arbitrary code on the phone paired with it. The same approach might be used to crash the device, and launch DoS attacks without rooting it.
“We were able to turn your phone into a GPS tracker because your IoT kit is kinda insecure,” Tenaglia explained.
The talk – entitled Breaking BHAD: Abusing Belkin Home Automation Devices – also covered details of heap overflow, SQL injection, and code injection zero days, as well as their associated exploits. These various flaws were resolved by a recent update from Belkin.
The researchers credited Belkin with taking security far more seriously than most IoT vendors by responding to security research and developing a patching process.
In 2013 and 2014, several high-profile vulnerabilities were found in Belkin’s WeMo line of home automation devices. Belkin not only patched most of those vulnerabilities, but also maintains a very regular update cycle, which “makes them one of the more responsive players in the IoT space”, according to the Invincea Labs duo.
El Reg approached Belkin for comment on the research but is yet to hear back anything substantive. We’ll update this story as and when we hear more. ®
Sponsored: Customer Identity and Access Management