2 Million IoT Devices Have P2P Software Flaw: ResearcherVulnerabilities Found in Security Cameras, Baby Monitors and More
Nearly 2 million internet of things devices, including security cameras, baby monitors and "smart" doorbells, are vulnerable to being compromised due to a flaw in their built-in peer-to-peer software, a security researcher warns.
Paul Marrapese, an independent security researcher from San Jose, California, has published research warning that peer-to-peer software developed by Chinese firm Shenzhen Yunni Technology that's used in millions of IoT devices around the world has a vulnerability that could allow an attacker to eavesdrop on conversations or press household items into service as nodes in a botnet.
The Shenzhen Yunni software, called iLnkP2P, is designed to enable a user to connect to IoT devices from anywhere by using a smartphone app. The iLnkP2P functionality is built into a range of products from companies that include HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.
What Marrapese found, however, is that as many as 2 million devices, and possibly more, using iLnkP2P software for P2P communication do not have authentication or encryption controls built in, meaning that an attacker could directly connect to a device and bypass the firewall.
Marrapese discovered the iLinkP2P flaw after buying an inexpensive IoT-connected camera on Amazon.
"I found that I was able to connect to it externally without any sort of port forwarding, which both intrigued and concerned me," Marrapese tells Information Security Media Group. "I found that the camera used P2P to achieve this, and started digging into how it worked. From there, I quickly learned how ubiquitous and dangerous it was."
The Trouble with P2P Software
While the flaws with the iLnkP2P peer-to-peer software apparently have not yet been exploited in the wild, Marrapses believes it's better for consumers to know now before an attacker decides to start taking advantage of this particular vulnerability.
"There have been plenty of stories in the past about IP cameras and baby monitors being hacked, but I believe iLnkP2P is a brand new vector not currently being exploited in the wild," Marrapese says. "With that being said, the biggest motivation behind this disclosure is to inform consumers before it's too late - because I believe it's only a matter of time."
Millions of security cameras, baby monitors, and "smart" doorbells have serious vulnerabilities that allow hackers to spy on their owners. More information here:https://t.co/vYM8wAXnI8— Paul Marrapese (@PaulMarrapese) April 26, 2019
As part of his research, Marrapese says he attempted to contact not only Shenzhen Yunni Technology - the company also renders its name as Shenzhen Yuni - but also several of the IoT manufacturers that use the company's P2P software. As of Monday, even after publishing results, he had not heard back from anyone.
Not-So-Secure Security Cameras
Users of IoT devices that make use of the Shenzhen Yunni software scan a barcode or copy a six-digit number that is included on the product. From there, the owner can access the device from a smartphone app.
It's through these unique identifier numbers that Marrapese was able to discover that each device manufacturer used a specific alphabetic prefix to identify their particular product. For instance, HiChip uses "FFFF" as a prefix for the identity number for its devices.
Through his research, Marrapese found that 39 percent of the vulnerable IoT devices that used the iLnkP2P software were located in China. Another 19 percent are in use in Europe and 7 percent within the U.S., according to security blogger Brian Krebs, who first reported on the research.
Once Marrapese was able to identify these devices through the unique number systems, he created several proof-of-concept attacks that took advantage of the flaws in the software.
Two CVE numbers have been assigned to these vulnerabilities.
The first, CVE-2019-11219, is for an enumeration vulnerability within the software that allows attackers to rapidly discover these IoT devices. In this case, an attacker could directly connect to a vulnerable devices while bypassing firewall restrictions.
The second, CVE-2019-11220, is for an authentication vulnerability in the software that could allow a hacker to create a man-in-the-middle attack, which enables taking control of the device and stealing passwords.
The fact that an attacker can identify millions of connected devices using basic tools and taking advantage of default passwords and identity numbers shows the weakness that comes with in P2P software, Marrapese contends.
"You don't need to crawl the entirety of IPv4 space to find these devices - single servers can put you directly in touch with millions of these devices. It's shooting fish in a barrel," Marrapese says. "On top of that, these 'features' introduce other scenarios where changing the default password won't help you from being hijacked. It's an example of how flaws in a transport layer can quickly disarm other security measures.
The Hidden Dangers of IoT
These type of flaws in IoT devices are becoming more prevalent, especially as the amount of connected devices, whether it's in the home, the office or the factory floor, continue to grow. By 2020, Gartner calculates, there will be more than 20.4 billion connected devices in use around the globe, with spending on endpoints and services surpassing $2 trillion.
In October 2018, SEC Consult, a security consulting firm, warned that IoT devices developed by Hangzhou Xiongmai Technology Co. Ltd. had serious flaws that could allow an attacker to view private video streams from connected cameras or use a vulnerable devices to create a Mirai-style botnet (see: Review Shows Glaring Flaws In Xiongmai IoT Devices).
In the rush to connect these various devices, companies and their customers have sacrificed some of the basic security standards,says Joe Lea, vice president of product at Armis, a security vendor based in Palo Alto, California.
"'Security cameras' continue to be the oxymoron of the 21st century," Lea says. "This is a perfect storm of a security exposure for an IoT device - no authentication, no encryption, near impossible upgrade path. We have to stop enabling connectivity over security."
Marrapese's advice for anyone who might have purchased one of these devices is to discard it and buy a new one. He notes that a user can change the default password from the manufacturer, but the vulnerability will remain.
"If someone finds they have a vulnerable device, I would sincerely recommend throwing it away. The value of these devices is not worth the risk they present," Marrapese says. "Even if a device is put on a separate network, hackers can still view the camera. Buy a new one, preferably one from a reputable vendor that does not use P2P."