Belkin’s WEMO internet of things devices, widely deployed in homes around the world, until this week were at risk from a pair of zero-day vulnerabilities. The vulnerabilities, which security firm Invincea reported, are set to be detailed in a Black Hat Europe session on Nov. 4 titled, “Breaking BHAD: Abusing Belkin Home Automation Devices.”
Scott Tenaglia, IoT researcher for Invincea Labs, said his team decided to look at Belkin because there are at least 1.5 million WEMO devices deployed on the market.
“What we found is a way to remotely root all WEMO devices through a SQL injection vulnerability,” Tenaglia told eWEEK. “Then we also found a way to run arbitrary code on the Android app that is used to communicate with the WEMO devices.”
The WEMO devices include functionality that enables users to set up rules for when devices should turn on or off, he explained. The WEMO mobile app includes a user interface that enables users to easily create rules, which are all stored internally in the app, inside of a SQLite database, which is commonly used on embedded devices as it has a small resource footprint.
When the mobile app creates the rule in the SQLite database, that rule is also sent to the WEMO device to be integrated with the device’s in-memory rules.
“We discovered that the SQL queries that are on the device that are used to update memory are vulnerable to SQL injection,” Tenaglia said.
There is a specific syntax with SQLite that enables an application to attach one database to another, he said. The idea behind enabling SQLite to attach a new database is so that applications can read additional data. If the specific database in the “attach database” query doesn’t exist, SQLite will create a new database file.
WEMO, like many embedded systems, uses the open-source BusyBox tool suite to enable common Linux commands. BusyBox includes the bin.sh command for executing a shell on the device using the Ash shell, a simplified version of the Bash shell.
“There is a way to create a SQLite database that will be parsed as an Ash shell script from purely SQL statements,” Tenaglia explained.
He added that the attach database syntax allows him to write a file wherever he wants on the file system. Combining that with the technique for creating an Ash shell script allowed his team to put data in the files that will be executed as commands. In the sample proof of concept that Invincea Labs built, the shell script opens a Telnet session that enables any connection to be dropped into a an unauthenticated root shell, without the need for a username or password.
Anyone with access to the local network on which the WEMO device is deployed could have potentially attacked the WEMO to enable the root exploit. There is no authentication to the WEMO on a local network, Tenaglia explained.
“What happens when the WEMO app is loaded is it sends out a UPnP [Universal Plug and Play] message looking for WEMO devices,” Tenaglia said. “So anybody that walks into a room and is on the same local network as the WEMO can use this root exploit.”
While the rules exist on both the mobile app as well as the WEMO device firmware, the rules are also replicated to a WEMO cloud service. Tenaglia explained that Invincea Labs did not test Belkin’s cloud service as part of its research. Belkin has expressly forbidden security researchers from taking aim at the Belkin cloud service, he added.
“We abided by Belkin’s rules, and we didn’t look at their cloud service,” Tenaglia said.
Invincea Labs also looked at the WEMO mobile app on Android and found a vulnerability.
“Our demo that we’ll show in the Black Hat talk is how we could download all of a user’s images and also beacon out the user’s location to use,” Tenaglia said.
The root cause of the flaw was present in the open-source Apache Cordova code that Belkin’s WEMO app was using. According to Tenaglia, Belkin was using an older version of Cordova that has since been patched by the upstream open-source project.
Invincea Labs first reported the flaws to Belkin on Aug. 11. Belkin responded the same day and confirmed that the vulnerabilities existed, Tenaglia said. Belkin has since pushed out updates for its mobile app and its WEMO device firmware for the issues Invincea identified.
“It was a pretty good interaction with Belkin,” Tenaglia said. “We told them in our initial disclosure that we weren’t trying to poke them in the eye, and we wanted to show them that security researchers can have good relationships with vendors.”
This isn’t the first time security researchers have found issues with WEMO devices. In February 2014, security firm IOactive alleged that it found security vulnerabilities in WEMO devices. A day later, Belkin responded to IOactive’s claims and noted that the issues had already been fixed.
“We plan to continue our research moving forward, and we’re interested in looking at IoT holistically,” Tenaglia said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.