Security researcher Nitesh Dhanjani is calling attention to another potential hole that's more subtle: the same mechanism that authorizes an iPhone that connects to a WeMo even once can be abused by malware to give virtually any Internet-connected device remote bugging capabilities. The upshot of this finding: it's trivial for any computer that is already infected to obtain the credentials to tap the audio feed of a WeMo baby monitor connected to the same home network.
Hack turns Belkin baby monitor into iPhone-controlled bugging device
The "Internet of things" may make life richer, but it can also allow new attacks.
by Dan Goodin — Oct 23 2013, 9:21am PDT
There's a reason Internet-connected thermostats, televisions, and other everyday appliances are growing increasingly popular. In an age when smartphones are nearly ubiquitous, people can crank up the heat, record TV programs, and check home-security systems without getting off the couch or leaving the little league game that's gone into extra innings.
But there's a flip side to the convenience. Just as Internet connections give new capabilities to the people using the devices, they also create new opportunities for stalkers, thieves, and hackers. A case in point: in August, Ars described how smartphone-controlled lighting systems from Philips could be commandeered by malicious websites to cause persistent blackouts. Now, the same researcher behind that hack has devised a new proof-of-concept attack. It turns a wireless baby monitor made by Belkin into a stealthy bugging device that can be accessed by someone in your front yard... or halfway around the world.
The WeMo brand monitor is simple to use. Connect it to a home Wi-Fi network and access it just once over the same network with an iPhone or iPad app Belkin makes available for free. The device will then have unfettered access to all audio picked up by the pint-sized device. Access to your home Wi-Fi network isn't necessary for the app to work after initial setup; all conversations within earshot of the monitor can be tapped as long as the iPhone or iPad has an Internet connection. The ease of connecting is no doubt intended to be one of the selling points of the WeMo monitor. But its lack of password authentication can just as easily be viewed as a liability since it exposes users to surreptitious monitoring by baby sitters, former spouses, or anyone else who even once manages to get on the home network. The only way to be sure that the device is locked down is to continually check the monitor's settings panel to ensure no unrecognized devices are connected to it.
Letting one-time access be the sole determinant for authenticating a device is likely to strike many readers as an obvious weakness. But independent security researcher Nitesh Dhanjani is calling attention to another potential hole that's more subtle: the same mechanism that authorizes an iPhone that connects to a WeMo even once can be abused by malware to give virtually any Internet-connected device remote bugging capabilities. The upshot of this finding: it's trivial for any computer that is already infected to obtain the credentials to tap the audio feed of a WeMo baby monitor connected to the same home network.
Reconsidering the Perimeter Security Argument (WeMo Baby Monitor)
Dhanjani also uncovered weaknesses in two other Belkin products. The WeMo switch, which allows people to turn electric devices on and off with a smartphone, also grants permanent permissions to any device that gains one-time access. The Belkin Wi-Fi NetCam, by contrast, requires a password to access video feeds, even by users on the same Wi-Fi network. Unfortunately, Belkin developers have undone this good deed with a fatal flaw. The password is transmitted in plaintext to a server at the IP address 126.96.36.199, once again making it trivial for machines already infected with malware to retrieve the password and tap in to the video feed. This abuse scenario opens up the possibility of a whole new wave of remote snooping that exploits webcams, microphones, and other Internet-connected devices."
Link to Original Source