Nov 02, 2016Invincea Labs develops and prototypes software and embedded computing devices for use in distributed sensor networks, among other work, for customers in government and the defense industry. To support this work, its research team focuses on software security and analyzing malicious software, among other areas of study. Earlier this year, the company's researchers decided to look for security vulnerabilities in the popular WeMo smart-home products and companion mobile app. They discovered two "zero day" (or previously unknown) vulnerabilities—one in the WeMo Switch, a remotely controllable light switch, and the WeMo Android smartphone application. Consumer electronics manufacturer Belkin owns Wemo.
Scott Tenaglia, Invincea Labs' research director and principal research engineer, will present the team's findings. In addition, because the novel exploitation techniques the firm employed to discover the vulnerabilities could be used to test the security of other Internet of Things devices, he will share details of the techniques with attendees.
Invincea Labs' team disclosed details regarding both vulnerabilities to WeMo on Aug. 11, Tenaglia reports, and the company responded within the hour. In response, WeMo issued an update to its Android app on Sept. 1. Yesterday, the company told the researchers it would be issuing a firmware update to address the device's vulnerability in the afternoon. The firmware update will be automatic for consumers, as was the smartphone app, as long as a consumer has set his or her phone to upload application updates automatically (those who had changed the setting will receive an alert regarding the update, which they would need to approve in order to install it).
Leah Polk, a Belkin spokesperson, confirmed that both the WeMo app and firmware updates have been issued, adding that her company appreciates the work that Invincea Labs and other security researchers do to expose vulnerabilities. Using their input, she says, is "an important part of our security process."
"We figured out how to get remote root, or administrative, access to the device," Tenaglia explains, describing the security hole that allowed him to control the WeMo Switch. "We found a way one could install software on the device, access it at the administrative level and take over the device's controls. That opens up the ability to do physically destructive things to whatever is attached to the switch—so if I toggled the power fast enough, maybe I can blow the light bulb, for example."
Such an attack would be potentially dangerous, but the team verified that other types of products made by WeMo use the same firmware and would, therefore, be vulnerable to the same hack that Invincea Labs developed (an SQL database injection) to access remote root control. These include the WeMo Insight Switch, which can be used to remotely turn electronic devices and appliances on or off, and to send notifications to a user's smartphone showing how much energy those appliances and devices are using. Belkin also makes a Crock-Pot slow cooker that can be controlled remotely via the WeMo app, and that uses the same firmware.
Joe Tanen, Invincea Labs' lead research engineer, notes that if an attacker can gain root control of a WeMo or other smart-home device, he or she gains more control over that device than the owner, due to how such products are designed. "Device makers don't want to give you administrative control—like you have on your home computer—because then you could screw up the device very easily," he explains. "They're not as robust as your home computer."
The researchers were unable to gain entry into WeMo's cloud-based servers as a vector into the devices. This suggests that, in order to obtain remote root access control, an attacker would need to gain entry to a home's Wi-Fi router or gain entrance into the home's network some other way. However, an attacker could also access a network via a poorly secured IoT device, such as the type of internet-connected cameras and DVRs that attackers leveraged in recent Distributed Denial of Service (DDoS) attacks on websites.
Tanen and Tenaglia both say the vulnerability in the Android smartphone app is likely more disconcerting to consumers than that of the WeMo switch device. That's because the hack they created would give access to much of the content stored on a user's smartphone, including its contacts and photos.
"What we did is we set the name of the [WeMo] device to be a malicious string containing JavaScript code," Tenaglia explains. Whenever the smartphone connects to that WeMo device, the app then executes the code embedded in the script.
"That code allows us to do anything that the app can do," Tanen says, "and the app can access the phone's camera, photos, contacts and location. So we've demonstrated that we can download all the photos from the phone and start beaconing the phone's location back to us."
Poor security settings on IoT devices have led to a number of recent high-profile breaches, including a DDoS attack that temporarily took down many popular websites last month. Yet, Tenaglia says, outside of not being able to access a website for a time, consumers have not been directly impacted by those breaches. In demonstrating the ability to not only infiltrate an app used to control an IoT device, but also access a smartphone's photos and other information that most people consider highly personal, Tenaglia and Tanen believe this exposure could make digital security around smart-home products a higher priority for consumers.
This is not the first time security researchers have discovered and revealed security holes in WeMo's smart-home products. In early 2014, IOActive, a Seattle-based security firm, revealed that hackers could access and control WeMo devices remotely, and also install their own malicious firmware, control the devices and access the home's computer network. WeMo quickly patched that security hole.