The WeMo devices were the subject of a key report on IoT security. Learn about the many ways in which they were compromised.
- [Narrator] Belkin manufactures a wide range of home automation products including smart plugs, light switches, dimmers, cameras, baby monitors, motion sensors, and light bulbs, as well as embedded control of appliances such as coffee makers and Crock-Pots. In addition the WeMo maker can be connected to any five volt device and allow it to be automated. WeMo devices are Wi-Fi enabled and can be accessed as devices on the home network.
However, using the WeMo remote access feature they can be controlled from anywhere through a mobile phone via Belkin central WeMo server. The WeMo range of home automation products gained some unwanted publicity in 2014 when they were found to contain security flaws. The WeMo devices connect to the internet using the stun turn protocol. This gives users remote control of the devices and allows them to preform firmware updates from anywhere in the world.
On the 18th of February 2014, CERT issued an advisory for multiple vulnerabilities in the Belkin WeMo home automation devices relating to its implementation of stun turn. The advisory was based on research carried out at IOActive. The research focused on the WeMo light switch and resulted in a number of vulnerabilities being found. These include remote control of attached devices over the internet, the ability to push malicious signed firmware updates, remote monitoring, and internal LAN access.
The issues also demonstrated some weak design practices. For example, the firmware updates are encrypted using GPG, but Belkin had distributed the firmware signing key with the WeMo firmware image. This enable attackers to extract and use the key to sign malicious firmware images. The WeMo restful service end point is vulnerable to attack and can allow an arbitrary file download, an issue which should have been picked up during testing.
IOActive notified Belkin in October 2013 and by November 2013 Belkin had starting posting firmware fixes. In 2016 a further vulnerability was discovered in the latest Belkin WeMo switch by researchers from security firm Invincea. In this case it's an SQL injection attack, which can be performed on the rules database in the device. They confirmed the same flaw in a WeMo enabled smart slow cooker from Crock-Pot.
Belkin released a fix for the issue in November 2016. The SQL injection can be exploited by tricking the device into parsing a maliciously crafted SQ like database and this would allow attackers to write an arbitrary file on the device. This can be written in the form of a shell script in a location which enables it to be started as part of setting up a network connection. By doing this they were able to establish a route account telnet session between the attacker and the device.
It could also be used to insert payloads such as the mirai denial of service malware. The Invincea team also tested and was able to exploit the WeMo android application using a cross site scripting attack via the WeMo device. By maliciously changing the device name to executable code so that when it was retrieved by the app it called the code injection. The code injection was used to continuously send the phones location to the attacker, amongst other things.
To complete the hack trick the Invincea team also demonstrated that it was able to get root access directly through the hardware, as described in their blog posting shown here. In this case they were able to read memory during boot up and change the flash to enable unauthenticated root access. The Belkin line of equipment is considered to be some of the better IOT kit on the market and when issues have been found Belkin has been very responsive. Not all IOT device manufactures can be expected to be as responsive and not all users will apply the patches.
So what we learned from this case study is that secure design practices and security testing will take an increasingly important role in the internet of things.
- Reviewing security issues and recent attacks
- Robot security concerns
- IoTSF Compliance Framework
- LoRa security
- Building security into IoT devices
- Moving to trusted execution environments
- Adding sensors and encryption to Marvin
- Generating packets with Paketeer
- The cURL tool
- Testing home IoT devices