On paper, the Internet of Things (IoT) sounds irresistible. From remote cameras to smart fridges and Wi-Fi controlled lightbulbs, it seems the future has finally arrived. However, evidence is growing of a rush-to-market approach with security as an afterthought.

To demonstrate this, two researchers from Invincea Labs — Joe Tanen and Scott Tenaglia — are set to outline how "multiple flaws" in IoT-based Belkin WeMo products could be used to not only compromise home automation devices but also the Android devices linked to them.

The outcome of the hack could give a cybercriminal the ability to steal photos and even track locations in real time, the researchers said. The findings will be revealed in greater detail at Black Hat Europe in a talk titled 'Breaking BHAD: Abusing Belkin Home Automation Devices'.

The pair tested a slew of WeMo IoT devices and found vulnerabilities "in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DDoS attacks without rooting the device".

The Mirai botnet strikes

The results of the study come roughly two weeks after hackers used an IoT botnet called Mirai to launch a massive distributed denial of service attack on the Dyn DNS provider. The cyberattack resulted in a widespread internet outage that wiped out services like Reddit, Twitter and Spotify.

Tanen and Tenaglia said that two issues were found in the Belkin WeMo products. The first was an SQL injection problem that could give hackers near complete control over the IoT device – be it camera, home temperature kit or remote Wi-Fi controller.

The second issue – a so-called "naming" problem – was uncovered in the WeMo Android application used to control the products. The flaw could be exploited by hackers to inject a string of malicious Javascript codes straight into the phone.

The WeMo Android application has been downloaded between 100,000 and 500,000 times, according to Google Play statistics. While the flaw did not provide a full root of the Android smartphone, it did allow access to the granted permissions - camera, location and storage.

When a person opens the WeMo app it automatically scans to identify all IoT devices that are in range. The two researchers claimed an attacker could replace the "name" of a friendly device with the Javascript code which, when clicked, will load when the application attempts to connect.

Both security vulnerabilities were disclosed to Belkin on 11 August and patches have now been released. Users are now strongly advised to update their devices.

Speaking to Security Week, the researchers outlined a scenario in which the hack could take place. "The attacker emulates a WeMo device with a specially crafted name and follows the victim to a coffee shop," they explained.

"When they both connect to the same Wi-Fi, the WeMo app automatically queries the network for WeMo gadgets, and when it finds the malicious device set up by the attacker, the code inserted into the name field is executed on the victim's smartphone."

"It's the first case that we've found that an insecure IoT device could be used to run malicious code inside a phone," Tenaglia told Dark Reading in an interview ahead of the Black Hat Europe talk.

"In the past, people may not have been concerned if there were vulnerabilities with their Internet-connected lighting or crockpot, but now that we've discovered that bugs in IoT systems can impact their smartphones, people will pay a bit more attention."