There is no authentication or encryption used for device communication over the local network, meaning anyone – and any device - can send the malicious SQLite file to the Belkin device assuming they are on the same network.
Tenaglia and Tanen exploited the flaw to create a second SQLite database on the device that would be interpreted as a shell script by the command interpreter. They placed the file in a specific location from where it would be automatically executed by the device's network subsystem on restarting the device.
On restart, they gained root control over the device and could run Telnet (although they say hackers could run anything at this point),). Tenaglia and Tanen said at the conference that this technique could be used for DDoS attack or causing the IoT product to malfunction, such as overheat.
"We could easily run Mirai on this…. The only real remediation is a firmware update,” said Tanen at Black Hat Europe.
Both researchers praised Belkin for the speed in which they responded. Both firmware vulnerabilities were verified on the same day within an hour, while Belkin released a patch for the Android app on September 1st. The firmware update was available as of 1st November.
Yet Tanen told CSO that hackers can kill the firmware update process entirely: “Once you’re on the device, the firmware update process just runs the script. We could easily remove that file, or modify that script.
“We could trivially break the firmware update process to prevent it from ever updating the firmware.”
The second vulnerability involves the running of malicious code on the Android app.
As an example, when a user would open the device in the app, instead of displaying “Upstairs Baby Monitor,” the phone would execute the malicious code input in the ‘friendly’ name.
Both techniques required no root access to the phone, simply for the app to be active or running in memory on the phone.
Researchers speak on Belkin and 1995 IoT security
Tenaglia and Tanen told CSO Online that Belkin has been ‘very responsive’ to their report, even earmarking them as one of the better IoT vendors for security.
Sign up for CIO Asia eNewsletters.