Millions of consumer smart devices exposed by serious security flaw
A security researcher has discovered severe flaws in an Internet of Things (IoT) software feature called iLnkP2P, which renders the millions of consumer devices using it vulnerable to remote discovery and hijack.
Publicised by Paul Marrapese, neither iLnkP2P nor the Chinese company that developed it, Shenzhen Yunni Technology, will be familiar names to the people buying the products containing it.
Despite this, iLnkP2P was identified in at least two million devices made by companies including HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.
The software’s purpose is to allow IoT devices such as security webcams, baby monitors, and smart doorbells to be configured quickly without having to know how to open ports in a broadband router’s firewall.
Instead, consumers can power on their new device and instantly connect to it in peer-to-peer (P2P) fashion using an app on their computer by entering a Unique Identifier (UID). Nice and easy to use but not, it turns out, a good architecture from a security point of view.
The main iLnkP2P flaw is CVE-2019-11220, which for understandable reasons Marrapese doesn’t dwell on but he says allows attackers to carry out man-in-the-middle attacks and steal device passwords on the way to a device takeover.
However, it’s the second flaw, CVE-2019-11220, that allows attackers to discover which devices are vulnerable to the above weakness and reach out to them even when they’re on the other side of an apparently secure firewall using Network Address Translation (NAT).
Most of the devices don’t appear to use encryption. Marrapese even accuses one vendor of lying about the state of the encryption they use.
Any device using iLnkP2P is at risk. The easiest way to determine whether a device is using this is to look for the UID printed on a sticker on the side of the device (which corresponds to the first three of the four letters). This can then be checked against the list of 91 known UIDs published by Marrapese.
However, this list isn’t exhaustive there could be further devices not listed that are using iLnkP2P and have different UIDs.