The Internet of things (IoT) has already been used to launch the biggest DDoS attacks ever, but now it represents a potential path for attackers to compromise cell phones.Flaws in Belkin WeMo devices - electrical switches, cameras, light bulbs, coffee makers, air purifiers, etc. \u2013 enabled Invincea Labs researchers to not only hack into the devices, but to use that access to attack an Android phone running the app that controls the WeMo devices.\u201cThis is the first instance we\u2019ve seen of IoT hacking something else,\u201d says researcher Scott Tenaglia, who pledges to look for other vulnerable devices that might be abused to carry out similar attacks.MORE: CIO security lessons, including about IoTTenaglia and his fellow researcher Joe Tanen are presenting their research this week at Black Hat Europe in London.Belkin says it has issued patches for the flaws. Invincea Labs \u201cThis is the first instance we\u2019ve seen of IoT hacking something else,\u201d says Invincea Labs researcher Scott TenagliaCARRYING OUT AN ATTACKTo carry out the attack the researchers attached a laptop to the same network that the WeMo device was connected to. They communicated with the device via universal plug and play (UPnP) messages, which are essentially Web requests to particular URLs on the device, Tenaglia says.One request they sent was for the device to change its name, and they substituted the original name with a malicious string of code.A customer can control WeMo devices via an Android application that, when it is first turned on, queries the environment for WeMo devices. One of the things the devices respond with is their names. \u201cIf the name is a malicious string, as soon as it hits the application the code executes,\u201d Tenaglia says.As a demonstration of what such a string might do, the researchers had it download all the pictures from the phone\u2019s camera to a remote server. They also had it beacon the phone\u2019s location to the researchers so the phone then acted like a geolocation tracker.The hack doesn\u2019t compromise the entire phone, just the services that the WeMo application has access to. These are the telephone, the camera, storage and location, he says.The hackers access continues even when the application is running in the background, he says. \u201cThe only way to stop it is to force-quit the app, which few users do,\u201d he says.The researchers tapped into the WeMo device via its local network, but it might be possible through Belkin\u2019s cloud infrastructure. Tenaglia says Belkin doesn\u2019t permit researchers to meddle with its cloud infrastructure, but that restriction wouldn\u2019t necessarily be observed by hackers.Going forward, apps for controlling IoT devices will have to be considered a possible security threat. \u201cThe consumer has to make the decision: \u2018Do I want the internet-enabled whatever device? Because I know it might affect the security of my phone,\u2019\u201d he says.While he plans more research into IoT security, he sees others jumping on this new means of compromising phones. \u201cThere are going to be more second- and third-order effects of having an IoT device \u2013 things we haven\u2019t thought of yet,\u201d he says.