If you have an internet-connected home appliance, such as a crock-pot, a lightbulb, or a coffee maker, you can control it from the comfort of your smartphone. But a bug in the Android app that controls some of those devices made by a popular manufacturer also allowed hackers to steal all your cellphone photos and even track your movements.
Security researchers found that the Android app for internet-connected gizmos made by Belkin had a critical bug that let anyone who was on the same network hack the app and get access to the user's cellphone. This gave them a chance to download all photos and track the user's position, according to new research by Scott Tenaglia and Joe Tanen, from Invincea Labs.
The two researchers looked into the security of Belkin's popular WeMo home-automation devices and found several issues, including one in WeMo's Android app, which has between 100,000 and 500,000 downloads, according to stats on the Google Play app store. They also found one flaw in the devices' themselves, which allowed hackers to take control of the device.
Belkin fixed the Android app's vulnerability in August, and the company said that it's releasing a firmware update to fix the devices' flaw on Wednesday. (The update won't be automatic, however, and owners will have to download and install it themselves.)
But these bugs, especially the one that allowed hackers to use a WeMo device to hack the user's Android phone, are the umpteenth reminder that the devices that are part of the so-called Internet of Things are often riddled with security flaws. And even if users might not particularly care if their toasters or DVRs are part of an army of zombie computers that can take down websites, they probably will have a different opinion about their smart appliances if hackers can use them to get into their smartphones.
"The insecurity of my [Internet of Things device] now affects the security of another device I own, something that I probably care a lot more about."
"The insecurity of my [Internet of Things device] now affects the security of another device I own, something that I probably care a lot more about than my IoT," Tenaglia told Motherboard in a phone call.
The good news here is that Belkin answered quickly to these vulnerabilities, and attackers needed to be on the same network as the WeMo devices to attack them. That's not a guarantee it can't happen to anyone though. Tenaglia and Tanen posited a scenario where hackers get into an DVR or camera that has default credentials. At that point, they're inside the network. They scan for WeMo devices, and from there, they hack the user's Android phone.
The bad news is that the flaw in the WeMo device gave hackers full control of the gizmos, even more than the owners themselves. That way, the hackers could even disable the owners' ability to remove malware and update firmware. At that point, according to the researchers, the only solution is tossing your IoT device.
There's no evidence that these bugs were found and exploited by criminals against Belkin users, but once again, they are a reminder that in this day and age, our internet-connected crock-pot are a threat to our data—even to our phones.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.