The Internet of things (IoT) has already been used to launch the biggest DDoS attacks ever, but now it represents a potential path for attackers to compromise cell phones.
Flaws in Belkin WeMo devices – electrical switches, cameras, light bulbs, coffee makers, air purifiers, etc. – enabled Invincea Labs researchers to not only hack into the devices, but to use that access to attack an Android phone running the app that controls the WeMo devices.
“This is the first instance we’ve seen of IoT hacking something else,” says researcher Scott Tenaglia, who pledges to look for other vulnerable devices that might be abused to carry out similar attacks.
MORE: CIO security lessons, including about IoT
Tenaglia and his fellow researcher Joe Tanen are presenting their research this week at Black Hat Europe in London.
Belkin says it has issued patches for the flaws.
Invincea Labs“This is the first instance we’ve seen of IoT hacking something else,” says Invincea Labs researcher Scott Tenaglia
CARRYING OUT AN ATTACK
To carry out the attack the researchers attached a laptop to the same network that the WeMo device was connected to. They communicated with the device via universal plug and play (UPnP) messages, which are essentially Web requests to particular URLs on the device, Tenaglia says.
One request they sent was for the device to change its name, and they substituted the original name with a malicious string of code.
A customer can control WeMo devices via an Android application that, when it is first turned on, queries the environment for WeMo devices. One of the things the devices respond with is their names. “If the name is a malicious string, as soon as it hits the application the code executes,” Tenaglia says.
As a demonstration of what such a string might do, the researchers had it download all the pictures from the phone’s camera to a remote server. They also had it beacon the phone’s location to the researchers so the phone then acted like a geolocation tracker.
The hack doesn’t compromise the entire phone, just the services that the WeMo application has access to. These are the telephone, the camera, storage and location, he says.
The hackers access continues even when the application is running in the background, he says. “The only way to stop it is to force-quit the app, which few users do,” he says.
The researchers tapped into the WeMo device via its local network, but it might be possible through Belkin’s cloud infrastructure. Tenaglia says Belkin doesn’t permit researchers to meddle with its cloud infrastructure, but that restriction wouldn’t necessarily be observed by hackers.
Going forward, apps for controlling IoT devices will have to be considered a possible security threat. “The consumer has to make the decision: ‘Do I want the internet-enabled whatever device? Because I know it might affect the security of my phone,’” he says.
While he plans more research into IoT security, he sees others jumping on this new means of compromising phones. “There are going to be more second- and third-order effects of having an IoT device – things we haven’t thought of yet,” he says.