LONDON, UK – Research director Scott Tenaglia and lead research engineer Joe Tanen detailed the vulnerabilities during their ‘Breaking BHAD: Abusing Belkin Home Automation devices’ talk at the Black Hat Europe conference in London last Friday.
The zero-day flaws specifically relate to Belkin’s smart home products and accompanying Android mobile application, which is used to wirelessly control the home automation devices.
The first flaw, a SQL injection vulnerability, enables would-be hackers to inject malicious code into the paired Android WeMo smartphone app, and thus take root control of the connected home automation device.
“We found two zero-day vulnerabilities. One of them allows you to remotely root any WeMo device, and the other one allow you to do cross-site scripting, and execute arbitrary code inside the Android app for WeMo devices,” said Tenaglia, speaking to CSO Online on Friday.
The WeMo product range launched in 2012 and today includes several devices, including connected room heaters, coffee makers and humidifiers. Belkin claims to have sold 1.5 million devices to date.
Prior to the demonstration on Friday, the researchers disclosed these vulnerabilities, with Belkin issuing updates for the firmware (10884 and 10885) for the SQL injection vulnerability in November, and for the mobile application (now version 1.15.2) in August.
‘Textbook SQL injection’
The SQL injection vulnerability led the Invincea Labs duo to carry out a “textbook” SQL injection attack.
In this case, researchers found they could inject data into the databases used by the WeMo devices, to take control of the Belkin WeMo Switch device (*the flaw is also presence in WeMo-compatible Crock-Pot, and most likely in other WeMo devices too).
The WeMo mobile app, which is available for iOS and Android, lets users create ‘rules’ to control Belkin devices. As one example, one such rule may be for a connected lamp to automatically turn off each night at 10pm.
These rules can be configured on the app and pushed to the Belkin WeMo device over the local network as an SQLite database file. On receiving the file, the device decompresses it and uses a set of SQL queries to pull rule information from the new database and update its in-memory rules.
Tenaglia and Tanen found an SQL injection flaw in this configuration, potentially enabling attackers to write an arbitrary file on the device in a location of their choosing, and for the device to execute on the file.
There is no authentication or encryption used for device communication over the local network, meaning anyone – and any device - can send the malicious SQLite file to the Belkin device assuming they are on the same network.
Tenaglia and Tanen exploited the flaw to create a second SQLite database on the device that would be interpreted as a shell script by the command interpreter. They placed the file in a specific location from where it would be automatically executed by the device's network subsystem on restarting the device.
On restart, they gained root control over the device and could run Telnet (although they say hackers could run anything at this point),). Tenaglia and Tanen said at the conference that this technique could be used for DDoS attack or causing the IoT product to malfunction, such as overheat.
"We could easily run Mirai on this…. The only real remediation is a firmware update,” said Tanen at Black Hat Europe.
Both researchers praised Belkin for the speed in which they responded. Both firmware vulnerabilities were verified on the same day within an hour, while Belkin released a patch for the Android app on September 1st. The firmware update was available as of 1st November.
Yet Tanen told CSO that hackers can kill the firmware update process entirely: “Once you’re on the device, the firmware update process just runs the script. We could easily remove that file, or modify that script.
“We could trivially break the firmware update process to prevent it from ever updating the firmware.”
The second vulnerability involves the running of malicious code on the Android app.
As an example, when a user would open the device in the app, instead of displaying “Upstairs Baby Monitor,” the phone would execute the malicious code input in the ‘friendly’ name.
Both techniques required no root access to the phone, simply for the app to be active or running in memory on the phone.
Researchers speak on Belkin and 1995 IoT security
Tenaglia and Tanen told CSO Online that Belkin has been ‘very responsive’ to their report, even earmarking them as one of the better IoT vendors for security.
On IoT security, the researchers are worried about the possibility for such vulnerabilities to lead onto ‘second and third factor’ attacks, such as credit card details being stolen from connected devices.
“People think about the first problem; some guy runs code on my system – what do I care?” said Tenaglia. “These second and third factors, that’s where we’re trying to get to. What are the real consequences of this?”
“People want to integrate IoT devices into everything now…The more stuff is gets integrated into, the more real-world consequences you’re going to have when someone else gains control,” added Tanen.
Tenaglia drew a parallel with Android security, saying that while there have been efforts to sandbox apps and develop good security practice, such as not run Telnet from boot, IoT remains in a 1995 era. “Everything we’ve learned since then people aren’t doing.”
He said that IoT devices are susceptible to ‘low hanging fruit’ attacks like XML injection attacks.
Tanen urges vendors to ensure they restrict privileges with their IoT devices, while Tenaglia says adopting businesses should build security design stack with third-parties and get help with security assessment.
This story, "SQLi, XSS zero-days expose Belkin IoT devices, Android smartphones" was originally published by CSO.