One of the zero days is in the WeMo Switch, a remotely controllable light switch, and the other is in the WeMo Android smartphone application.
The study into the security vulnerabilities will be presented on Friday at Black Hat Europe 2016 in London by the two Invincea researchers who detected the flaws: Scott Tenaglia, research director and principal research engineer, and Joseph Tanen, lead research engineer.
When notified on Aug. 11 of the two flaws, WeMo, which is owned by Belkin, issued a patch on Sept. 1. Further, this week, Belkin informed the two Invincea researchers that it would be issuing an automatic firmware update to address the flaws – which will be implemented automatically provided users have "upload application updates" set to automatic. Otherwise, users will receive an alert which requests their approval before install.
The researchers figured out how to get remote root, or administrative, access to the WeMo Switch, which enabled them to install software on the device, access it at the administrative level and take over the device's controls, Tenaglia said. The scenario could enable a remote attacker to manipulate the physical device, toggling a power switch fast enough to cause a light bulb to blow, for example.
While the bugs were found in two products, the team confirmed that the same firmware is used in other products from WeMo, thus they too could be vulnerable to similar SQL database injection attacks the researchers used to access remote root control.
The bug points to the vulnerability of IoT devices to interference from remote attackers.
"To best of our knowledge using an IoT device to compromise a smartphone is a nuance of IoT security that hasn't been explored prior to our research," Tenaglia told SC Media on Thursday. "It brings to light the larger issue of the second- and third-order effects of IoT insecurity."
Many users ask why they should care if someone wants to hack into their slow cooker or light switch, he said. "Prior to this research, the security community's response would have been something about botnets. Now we can say that by having an insecure IoT device you might also be affecting the security of a device that you care much more about, like your smartphone. We may really have reached a point where users are going to have to weigh the option of having an internet-connected Crockpot against having a secure smartphone."