A hacker could exploit a series of vulnerabilities in an Internet of Things (IoT) device and its corresponding Android app to turn the phone into a secret GPS tracker.
Joe Tanen and Scott Tenaglia of Invincea Labs shared details of the hack last week at the Black Hat EU conference.
In their presentation, the duo explains that the exploit specifically applies to Belkin’s line of WeMo home automation devices, including light switches, cameras, and LED lights.
Tanen and Tenaglia chose WeMo devices because of Belkin’s good reputation in the IoT space, which is more than one can say about some manufacturers’ commitment to patching their devices for vulnerabilities.
The research duo explains:
“In 2013 and 2014 several high profile vulnerabilities were found in Belkin’s WeMo line of home automation devices. Belkin not only patched most of those vulnerabilities, but also maintains a very regular update cycle, which makes them one of the more responsive players in the IoT space. Therefore, we thought it would be interesting to revisit this line of IoT products to see how we could break or abuse them.”
It’s therefore not surprising that Belkin has already fixed the issues addressed by the researchers in their presentation.
With a WeMo device and the paired Android app, an attacker could have exploited heap overflow, SQL injection, and a bunch of code injection zero day vulnerabilities to establish a root shell on the device.
Once that’s done, an attacker could have abused some additional vulnerabilities to run arbitrary code on the paired phone.
That code, Tenaglia points out, could have turned the phone into a GPS tracker. As quoted by The Register:
“We were able to turn your phone into a GPS tracker because your IoT kit is kinda insecure.”
An attacker could have employed that same approach to deny service to the device or launch denial-of-service (DoS) attacks without rooting the device.
But as I said before, those issues have been fixed. Let’s hope some manufacturers learn from Belkin’s example by responding to security issues in a timely manner and reviewing how their devices interact with their respective mobile apps.
It’s all but given that most won’t. After all, availability still drives forward the development of IoT devices. Not security.
However, if some developers begin to think about security by design, perhaps we can start to defend ourselves against attacks like the DDoS campaign that crippled Dyn’s DNS infrastructure back in October.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.