Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

SQLi, XSS zero-days expose Belkin IoT devices, Android smartphones

CSO staff | Nov. 8, 2016
Invicea Labs researchers have discovered two zero-day vulnerabilities in Belkin’s home automation devices.

There is no authentication or encryption used for device communication over the local network, meaning anyone – and any device -  can send the malicious SQLite file to the Belkin device assuming they are on the same network.

Tenaglia and Tanen exploited the flaw to create a second SQLite database on the device that would be interpreted as a shell script by the command interpreter. They placed the file in a specific location from where it would be automatically executed by the device's network subsystem on restarting the device.

On restart, they gained root control over the device and could run Telnet (although they say hackers could run anything at this point),). Tenaglia and Tanen said at the conference that this technique could be used for DDoS attack or causing the IoT product to malfunction, such as overheat.

"We could easily run Mirai on this…. The only real remediation is a firmware update,” said Tanen at Black Hat Europe.

Both researchers praised Belkin for the speed in which they responded. Both firmware vulnerabilities were verified on the same day within an hour, while Belkin released a patch for the Android app on September 1st. The firmware update was available as of 1st November.

Yet Tanen told CSO that hackers can kill the firmware update process entirely: “Once you’re on the device, the firmware update process just runs the script. We could easily remove that file, or modify that script.

“We could trivially break the firmware update process to prevent it from ever updating the firmware.”


The second vulnerability involves the running of malicious code on the Android app.
Researchers discovered that an attacker could replace the device’s ‘friendly name’ with a malicious string containing JavaScript code, which would then be executed on the phone.

As an example, when a user would open the device in the app, instead of displaying “Upstairs Baby Monitor,” the phone would execute the malicious code input in the ‘friendly’ name.

When installed on Android, the application has permissions to access the phone's camera, contacts and location as well as the files stored on its SD card. Any JavaScript code executed in the app itself would as such inherit those permissions.

In their demonstration, the researchers crafted JavaScript code that took photos from the phone and uploaded them to a remote server. It also continuously uploaded the phone's GPS coordinates to the server, enabling remote location tracking.

Both techniques required no root access to the phone, simply for the app to be active or running in memory on the phone.

Researchers speak on Belkin and 1995 IoT security

Tenaglia and Tanen told CSO Online that Belkin has been ‘very responsive’ to their report, even earmarking them as one of the better IoT vendors for security.


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.