Security Firm to Detail Vulnerabilities in WeMo Switch and Android App

On Friday, at Black Hat Europe, an annual conference for the information security industry, Invincea Labs will detail two security vulnerabilities that it has discovered in smart-home products and an app made by WeMo—one of which would expose a user's smartphone photos and location to an attacker.
By Mary Catherine O'Connor
Nov 02, 2016

Invincea Labs develops and prototypes software and embedded computing devices for use in distributed sensor networks, among other work, for customers in government and the defense industry. To support this work, its research team focuses on software security and analyzing malicious software, among other areas of study. Earlier this year, the company's researchers decided to look for security vulnerabilities in the popular WeMo smart-home products and companion mobile app. They discovered two "zero day" (or previously unknown) vulnerabilities—one in the WeMo Switch, a remotely controllable light switch, and the WeMo Android smartphone application. Consumer electronics manufacturer Belkin owns Wemo.

Scott Tenaglia, Invincea Labs' research director and principal research engineer, will present the team's findings. In addition, because the novel exploitation techniques the firm employed to discover the vulnerabilities could be used to test the security of other Internet of Things devices, he will share details of the techniques with attendees.

A WeMo Switch
Invincea Labs' team disclosed details regarding both vulnerabilities to WeMo on Aug. 11, Tenaglia reports, and the company responded within the hour. In response, WeMo issued an update to its Android app on Sept. 1. Yesterday, the company told the researchers it would be issuing a firmware update to address the device's vulnerability in the afternoon. The firmware update will be automatic for consumers, as was the smartphone app, as long as a consumer has set his or her phone to upload application updates automatically (those who had changed the setting will receive an alert regarding the update, which they would need to approve in order to install it).

Leah Polk, a Belkin spokesperson, confirmed that both the WeMo app and firmware updates have been issued, adding that her company appreciates the work that Invincea Labs and other security researchers do to expose vulnerabilities. Using their input, she says, is "an important part of our security process."

"We figured out how to get remote root, or administrative, access to the device," Tenaglia explains, describing the security hole that allowed him to control the WeMo Switch. "We found a way one could install software on the device, access it at the administrative level and take over the device's controls. That opens up the ability to do physically destructive things to whatever is attached to the switch—so if I toggled the power fast enough, maybe I can blow the light bulb, for example."

Such an attack would be potentially dangerous, but the team verified that other types of products made by WeMo use the same firmware and would, therefore, be vulnerable to the same hack that Invincea Labs developed (an SQL database injection) to access remote root control. These include the WeMo Insight Switch, which can be used to remotely turn electronic devices and appliances on or off, and to send notifications to a user's smartphone showing how much energy those appliances and devices are using. Belkin also makes a Crock-Pot slow cooker that can be controlled remotely via the WeMo app, and that uses the same firmware.

Joe Tanen, Invincea Labs' lead research engineer, notes that if an attacker can gain root control of a WeMo or other smart-home device, he or she gains more control over that device than the owner, due to how such products are designed. "Device makers don't want to give you administrative control—like you have on your home computer—because then you could screw up the device very easily," he explains. "They're not as robust as your home computer."

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations