Security Architecture, Endpoint/Device Security, IoT, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Flawed P2P technology threatens millions of IoT devices

At least two million internet-connected devices featuring the peer-to-peer (P2P) communications technology iLnkP2P contain two major security flaws that could allow malicious actors to discover the products online, snoop on them and hijack them.

Security researcher Paul Marrapese discovered the issue in hundreds of brands of security cameras, baby monitors, smart doorbells and digital video recorders. Affected brands include, but are not limited to, HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM.

Developed by China-based Shenzhen Yunni Technology Company, Inc., iLnkP2P is designed to give consumers a hassle-free way to access their IoT devices remotely from a phone or computer by inputting a serial number known as a UID. However, the software was found to contain two key vulnerabilities, as Marrapese explains in a web page detailing his discovery.

The first bug, CVE-2019-11219, is an enumeration flaw that allows attackers to discover devices that are online, then connect to them while bypassing firewall restrictions. "The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices," states a vulnerability advisory from The MITRE Corporation.

Flaw number two is CVE-2019-11220, an authentication vulnerability that allows remote actors to intercept user-to-device traffic such as video streams and device credentials in clear text. Attackers could then use this ability to perform man-in-the-middle (MITM) attacks through which they could steal credentials and take over devices.

Marrapese says he previously reached out to several affected device vendors (initially on Jan. 15) and iLnkP2P's makers (initially on Feb. 4), as well as China's CERT (on April 1 via the U.S.-based CERT/CC), but received no responses. The vulnerabilities remain unpatched to this day.

On his Krebs on Security website, security expert Brian Krebs has reported that Marrapese created a proof-of-concept script that identified more than 2 million vulnerable devices connected to the Internet. The largest share, 39 percent, are located in China, while 19 percent are based in Europe and seven percent are in the U.S.

"The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote, according to Krebs. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges."

Rather than waiting for a patch, Marrapese recommends buying a new devices from a credible vendor or, failing that, blocking outbound traffic to UDP port 32100.

Consumers can check to see if their devices are impacted. To help in this regard, Marrapese's web page lists the various UID prefixes of affected products. He also references several Android apps that, if installed, could mean a product is vulnerable.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.