At least two million internet-connected devices featuring the peer-to-peer (P2P) communications technology iLnkP2P contain two major security flaws that could allow malicious actors to discover the products online, snoop on them and hijack them.
Security researcher Paul Marrapese discovered the issue in hundreds of brands of security cameras, baby monitors, smart doorbells and digital video recorders. Affected brands include, but are not limited to, HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM.
Developed by China-based Shenzhen Yunni Technology Company, Inc., iLnkP2P is designed to give consumers a hassle-free way to access their IoT devices remotely from a phone or computer by inputting a serial number known as a UID. However, the software was found to contain two key vulnerabilities, as Marrapese explains in a web page detailing his discovery.
The first bug, CVE-2019-11219, is an enumeration flaw that allows attackers to discover devices that are online, then connect to them while bypassing firewall restrictions. “The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices,” states a vulnerability advisory from The MITRE Corporation.
Flaw number two is CVE-2019-11220, an authentication vulnerability that allows remote actors to intercept user-to-device traffic such as video streams and device credentials in clear text. Attackers could then use this ability to perform man-in-the-middle (MITM) attacks through which they could steal credentials and take over devices.
Marrapese says he previously reached out to several affected device vendors (initially on Jan. 15) and iLnkP2P’s makers (initially on Feb. 4), as well as China’s CERT (on April 1 via the U.S.-based CERT/CC), but received no responses. The vulnerabilities remain unpatched to this day.
On his Krebs on Security website, security expert Brian Krebs has reported that Marrapese created a proof-of-concept script that identified more than 2 million vulnerable devices connected to the Internet. The largest share, 39 percent, are located in China, while 19 percent are based in Europe and seven percent are in the U.S.
“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote, according to Krebs. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges.”
Rather than waiting for a patch, Marrapese recommends buying a new devices from a credible vendor or, failing that, blocking outbound traffic to UDP port 32100.
Consumers can check to see if their devices are impacted. To help in this regard, Marrapese’s web page lists the various UID prefixes of affected products. He also references several Android apps that, if installed, could mean a product is vulnerable.