The Security Ledger hosted its third annual Security of Things™ Forum back in September. One of our more notable presentations came from Scott Tenaglia of the firm Invincea, who talked about security holes he found in home automation technology sold by the firm Belkin.
Tenaglia’s research built on the work of others, including Nitesh Dhanjani’s work describing the ability to snoop user names and passwords from insecure Belkin baby cameras and IOActive’s Mike Davis, who also researched the Belkin WeMo home automation products and found problems including the flawed use of encryption technologies. WeMo devices shipped with both private and public encryption keys stored on the on devices and failed to validate SSL certificates used to authenticate inbound communications to the device, Davis discovered.
In this talk, Scott talks about a variety of flaws he found in the WeMo line of products including vulnerability to a type of attack known as SQL injection. By sending purposely mis-formed updates to WeMo devices, he found he could create his own malicious executable that was run by the WeMo smart device, allowing him to take control of those devices.
Scott’s is one of a number of presentations given at our 2016 Forum in Cambridge. If you’d like to view our other video sessions, use the form on the Contact page to request a Security of Things Forum video pass.