LONDON, UK – Research director Scott Tenaglia and lead research engineer Joe Tanen detailed the vulnerabilities during their ‘Breaking BHAD: Abusing Belkin Home Automation devices’ talk at the Black Hat Europe conference in London last Friday.
The zero-day flaws specifically relate to Belkin’s smart home products and accompanying Android mobile application, which is used to wirelessly control the home automation devices.
The first flaw, a SQL injection vulnerability, enables would-be hackers to inject malicious code into the paired Android WeMo smartphone app, and thus take root control of the connected home automation device.
“We found two zero-day vulnerabilities. One of them allows you to remotely root any WeMo device, and the other one allow you to do cross-site scripting, and execute arbitrary code inside the Android app for WeMo devices,” said Tenaglia, speaking to CSO Online on Friday.
The WeMo product range launched in 2012 and today includes several devices, including connected room heaters, coffee makers and humidifiers. Belkin claims to have sold 1.5 million devices to date.
Prior to the demonstration on Friday, the researchers disclosed these vulnerabilities, with Belkin issuing updates for the firmware (10884 and 10885) for the SQL injection vulnerability in November, and for the mobile application (now version 1.15.2) in August.
‘Textbook SQL injection’
The SQL injection vulnerability led the Invincea Labs duo to carry out a “textbook” SQL injection attack.
In this case, researchers found they could inject data into the databases used by the WeMo devices, to take control of the Belkin WeMo Switch device (*the flaw is also presence in WeMo-compatible Crock-Pot, and most likely in other WeMo devices too).
The WeMo mobile app, which is available for iOS and Android, lets users create ‘rules’ to control Belkin devices. As one example, one such rule may be for a connected lamp to automatically turn off each night at 10pm.
These rules can be configured on the app and pushed to the Belkin WeMo device over the local network as an SQLite database file. On receiving the file, the device decompresses it and uses a set of SQL queries to pull rule information from the new database and update its in-memory rules.
Tenaglia and Tanen found an SQL injection flaw in this configuration, potentially enabling attackers to write an arbitrary file on the device in a location of their choosing, and for the device to execute on the file.
Sign up for CIO Asia eNewsletters.