Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Boffins turn phone into tracker by abusing pairing with – that's right – IoT kit

Security researchers exploit vulns in Belkin home automation product

Black Hat EU Security researchers have worked out how to hack into a smartphone and turn it into a tracking device by abusing its pairing with a Belkin home automation device.

Joe Tanen and Scott Tenaglia of Invincea Labs were able to root a WeMo device before injecting code into the WeMo Android app from a compromised WeMo device. The attack, which involved using an IoT device to hack into a phone, involved abusing normal functionality in order to exploit the app, the researchers explained during a presentation at Black Hat Europe on Friday.

Vulnerabilities in both the device and the Android app can be abused to obtain a root shell on the device, before running arbitrary code on the phone paired with it. The same approach might be used to crash the device, and launch DoS attacks without rooting it.

"We were able to turn your phone into a GPS tracker because your IoT kit is kinda insecure," Tenaglia explained.

The talk – entitled Breaking BHAD: Abusing Belkin Home Automation Devices – also covered details of heap overflow, SQL injection, and code injection zero days, as well as their associated exploits. These various flaws were resolved by a recent update from Belkin.

The researchers credited Belkin with taking security far more seriously than most IoT vendors by responding to security research and developing a patching process.

In 2013 and 2014, several high-profile vulnerabilities were found in Belkin's WeMo line of home automation devices. Belkin not only patched most of those vulnerabilities, but also maintains a very regular update cycle, which "makes them one of the more responsive players in the IoT space", according to the Invincea Labs duo.

El Reg approached Belkin for comment on the research but is yet to hear back anything substantive. We'll update this story as and when we hear more.

Updated

In a statement, Belkin said it worked with the researchers to adress security flaws in the WeMo devices, the significance of which it downplayed.

"We were able to issue a fix for the first Android App issue almost immediately, and then just recently released the firmware patch for the SQL Injection vulnerability on Nov. 1. Both of these fixes address all of the vulnerabilities reported by Invincea.

"We don’t believe these latest vulnerabilities presented a major threat, largely because they were both addressed before the researcher’s findings were released, and the actual likelihood of someone being able to execute this in a real life situation is extremely small. It would essentially require someone to target a Wemo user that is running old firmware and then get access to their local area network at the same time in order to run malicious code. That said, we did address both of them ASAP to ensure that no one could exploit these particular issues."

The SQL injection vulnerability was patched as of 1 November in WeMo firmware versions 10884 or 10885, depending on the device.

More info on the various issues uncovered by the Invincea team can be found in a blog post here. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like