Leave a comment

Top Story: Web-connected devices in your home can spy on your phone

Top Story: Web-connected devices in your home can spy on your phone
photo courtesy of shutterstock

Smart appliances are quickly making their way into many homes. TVs, speakers, light bulbs, appliances and everything in between can do things your grandparents would never have imagined.

They call these gadgets the Internet of Things (IoT). They connect to your home Wi-Fi network and can even work alongside your smartphone or tablet. Apps associated with these products allow you to access these devices and even control them remotely. For example, a smart washer can send you an alert when it has completed a load of laundry, and some smart thermometers can keep detailed reports of your home's air quality.

There's just one problem, really. These gadgets may be designed for convenience, but they're not designed for security. In fact, many of them are riddled with bugs that open the door for hackers to access your network.

Weak security creates the potential for serious cyberattacks, such as Distributed Denial of Service (DDoS) attacks and remote overrides. We know this sounds like something pulled straight from a science fiction movie, but attacks like these have actually happened before. And quite recently.

On October 21, a massive DDoS attack took place and shut down some major websites. Even sites as large as Amazon, Netflix and Twitter were affected, leaving millions of people along the East Coast without service.

Now, hackers have figured out a way to use some of these IoT gadgets to spy on your smartphone.

A series of WeMo products, made by Belkin, have a vulnerability that allows cybercriminals to spy on phones through its Android app. Belkin has issued a fix for the flaw through a firmware update. However, the researchers who originally discovered the vulnerability told "Forbes" that the update process could be completely killed on an infected gadget, making it impossible to be fixed.

WeMo vulnerabilities

The problem found with WeMo products was an SQL injection bug. This flaw allowed hackers to inject data into databases that are used by WeMo devices. These databases hold instructions for WeMo devices, such as when a smart appliance should automatically turn on.

It turns out that malicious code could be injected into these databases. A new SQLite file could be created in the WeMo gadget's web server root directory. The hacker would then be able to take control of the smart device.

If a cybercriminal gets control of an IoT device, they could mess with the rules established by its owner. The most likely result would be the hacker using the smart appliance as part of a botnet.

A botnet is a group of gadgets that hackers have taken over without the owners' knowledge. The hackers seize control of unwitting gadgets with a virus or malware, and then use the network of infected computers to perform large-scale hacks or scams.

This new firmware update by Belkin would prevent these SQL injection vulnerabilities. The problem now is, hackers can kill the firmware update process altogether.

Researcher Scott Tenaglia told "Forbes" that, "It's very simple to break the firmware update procedure so you can actually never update the firmware. If a device is currently compromised, then the attacker could break the update process and prevent this update from taking place."

A Belkin spokesperson told "Forbes" that the firmware update it released fixed the problem. So if you have one of these IoT devices, make sure you get the firmware update. Hopefully, Belkin is right and this takes care of its vulnerabilities.

Protecting your IoT gadgets

Since these IoT appliance infections only reside on temporary memory, the first thing you have to do is reboot the device to clear out the malware.

Next, you need to secure your router. If you're not sure where to start, click here for one thing your router needs to keep hackers out, and here for an easy way to find and change your router's password.

There are also several routers that are now out of date or plagued with security problems. Is your router one of them? Click here to see the full list and find out.

Beyond that, you need to be smart with your web-connected devices. The steps it takes to secure these devices varies from product to product, so it's a good idea to reach out to each of the manufacturers - but, here's a general place to get started.

Finally, check for firmware updates. Now, with these attacks out in the open, manufacturers will start issuing security patches to prevent such infections. It's important to keep your firmware always up to date. If your gadget does not automatically fetch firmware updates, make sure to manually check at least every three months.

Click here for a more in-depth look at protecting your IoT gadgets.

More news stories you can't miss:

Friday hack leads to major recall on web-connected products

Apple just blocked this dangerous app - Is it on your phone?

Big mistake people make booking rooms online

Next Story
View Comments ()
Apple just blocked this dangerous app - Is it on your phone?
Previous Happening Now

Apple just blocked this dangerous app - Is it on your phone?

9 out of 10 people get this puzzle wrong - Can you solve it?
Next Happening Now

9 out of 10 people get this puzzle wrong - Can you solve it?