Millions of security cameras and other internet of things (IoT) devices were found with critical security flaws involving peer-to-peer (P2P) communications technology. The weaknesses can expose the devices to credential theft, eavesdropping, hijacking, and remote attacks.
Security researcher Paul Marrapese shared with KrebsOnSecurity the dangers of iLnkP2P, the vulnerable firmware component that is bundled with millions of IoT devices such as baby monitors, IP cameras, smart doorbells, and digital video recorders (DVRs). It allows users to access the devices remotely without having to change firewall settings. Simply put, the component allows devices to talk to vendors’ servers via the P2P protocol.
Vulnerable devices have been noted to have a special serial number known as UID, where the unique alphabetic prefix is associated with the manufacturer that produced the device. Listed prefixes identify vendors and products that use iLnkP2P. If users see their device’s prefix (typically stamped onto the bottom of the device) in the list, the device is vulnerable.
Devices that use certain Android apps may also be vulnerable including HiChip found in CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P; VStarcam found in Eye4, EyeCloud, VSCAM, PnPCam; Wanscam found in E View7; NEO found in P2PIPCAM, COOLCAMOP; Sricam found in APCamera; and Various: P2PCam_HD.
According to Marrapese, iLnkP2P devices have an enumeration vulnerability (assigned as CVE-2019-11219) that can allow potential attackers to easily discover devices and establish a direct connection to them while bypassing firewall restrictions. Notably, iLnkP2P devices offer no authentication or encryption.
Marrapese’s research suggests that vendors may find it difficult to remediate the aforementioned vulnerabilities. For one thing, changing device UIDs is infeasible, therefore software-based remediation could be unlikely. Patches are also currently unavailable. The researcher points out that even if vendors provide security updates, some users are unlikely to update their device firmware. Moreover, thorough device recalls may not be logistically possible.
Devices that have the component in question are also vulnerable to an authentication vulnerability (CVE-2019-11220) that allows for stealing device passwords and eventually the takeover of affected devices. The former vulnerability targets individual devices, while the latter can be used to find many devices.
Marrapese built a proof-of-concept (PoC) script that identified upwards of two million vulnerable devices across the world. He found 39% of vulnerable IoT devices were located in China, 19% in Europe, and 7% in the United States. His PoC attack can steal passwords from affected devices and also abuse a built-in “heartbeat” feature that IoT devices can use to declare their presence in networks.
An attacker with a valid device UID can send spoofed heartbeat messages to the network and render those actually sent by the device useless. Interestingly, an attacker guessing passwords may not always come into play as many users run default credentials in their devices, making it easier for an attack to take place.
There is no straightforward way to turn off the P2P functionality in devices. IoT devices can also use the Universal Plug and Play (UPnP) feature built in hardware-based routers to change certain settings. Users can consider disabling UPnP, but doing so limits some functionalities, such as local device discovery dependencies and device requests.
If devices are confirmed to be vulnerable, it is recommended that devices should be altogether replaced with ones from reputable vendors that regularly provide security updates and patches for discovered vulnerabilities. If disposing the vulnerable device is not possible, setting up firewall rules that block outbound traffic to UDP port 32100 can decrease the risk related to P2P functions. This does not prevent local access via P2P, but it will intercept external networks from accessing the devices.
Trend Micro reported earlier this month that users of Chromecast streaming dongles, Google Home devices, and smart TVs were inundated with a message promoting YouTuber PewDiePie’s channel. The hijacking is said to be part of an ongoing subscriber count battle on the video sharing site.
The hackers behind it reportedly took advantage of poorly configured routers that had the Universal Plug and Play (UPnP) service enabled, which caused the routers to forward public ports to the private devices and be open to the public internet.
Many devices such as cameras, printers, and routers use UPnP to make it easy for them to automatically discover and vet other devices on a local network and communicate with each other for data sharing or media streaming. UPnP works with network protocols to configure communications in the network. But with its convenience comes security holes that range from attackers gaining control of devices to bypassing firewall protections.
