Leave a comment

Top Story: Web-connected devices in your home can spy on your phone

Top Story: Web-connected devices in your home can spy on your phone
photo courtesy of shutterstock

Smart appliances are quickly making their way into many homes. TVs, speakers, light bulbs, appliances and everything in between can do things your grandparents would never have imagined.

They call these gadgets the Internet of Things (IoT). They connect to your home Wi-Fi network and can even work alongside your smartphone or tablet. Apps associated with these products allow you to access these devices and even control them remotely. For example, a smart washer can send you an alert when it has completed a load of laundry, and some smart thermometers can keep detailed reports of your home's air quality.

There's just one problem, really. These gadgets may be designed for convenience, but they're not designed for security. In fact, many of them are riddled with bugs that open the door for hackers to access your network.

Weak security creates the potential for serious cyberattacks, such as Distributed Denial of Service (DDoS) attacks and remote overrides. We know this sounds like something pulled straight from a science fiction movie, but attacks like these have actually happened before. And quite recently.

On October 21, a massive DDoS attack took place and shut down some major websites. Even sites as large as Amazon, Netflix and Twitter were affected, leaving millions of people along the East Coast without service.

Now, hackers have figured out a way to use some of these IoT gadgets to spy on your smartphone.

A series of WeMo products, made by Belkin, have a vulnerability that allows cybercriminals to spy on phones through its Android app. Belkin has issued a fix for the flaw through a firmware update. However, the researchers who originally discovered the vulnerability told "Forbes" that the update process could be completely killed on an infected gadget, making it impossible to be fixed.

WeMo vulnerabilities

The problem found with WeMo products was an SQL injection bug. This flaw allowed hackers to inject data into databases that are used by WeMo devices. These databases hold instructions for WeMo devices, such as when a smart appliance should automatically turn on.

It turns out that malicious code could be injected into these databases. A new SQLite file could be created in the WeMo gadget's web server root directory. The hacker would then be able to take control of the smart device.

If a cybercriminal gets control of an IoT device, they could mess with the rules established by its owner. The most likely result would be the hacker using the smart appliance as part of a botnet.

A botnet is a group of gadgets that hackers have taken over without the owners' knowledge. The hackers seize control of unwitting gadgets with a virus or malware, and then use the network of infected computers to perform large-scale hacks or scams.

This new firmware update by Belkin would prevent these SQL injection vulnerabilities. The problem now is, hackers can kill the firmware update process altogether.

Researcher Scott Tenaglia told "Forbes" that, "It's very simple to break the firmware update procedure so you can actually never update the firmware. If a device is currently compromised, then the attacker could break the update process and prevent this update from taking place."

A Belkin spokesperson told "Forbes" that the firmware update it released fixed the problem. So if you have one of these IoT devices, make sure you get the firmware update. Hopefully, Belkin is right and this takes care of its vulnerabilities.

Next page: How to protect yourself
Apple just blocked this dangerous app - Is it on your phone?
Previous Happening Now

Apple just blocked this dangerous app - Is it on your phone?

9 out of 10 people get this puzzle wrong - Can you solve it?
Next Happening Now

9 out of 10 people get this puzzle wrong - Can you solve it?

View Comments ()