Vulnerability discovered by a researcher in an iLnkP2P-based peer-to-peer (P2P) system exposes millions and millions of IoT (cameras) devices to remote Internet attack, and no patches are available.
A California-based security engineer, Paul Marrapese has found two serious flaws in the iLnkP2P, a Chinese-based company Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution, making it easier for users to connect from their phones or computers with their IoT devices.
According to the expert, the iLnkP2P is available in devices sold under several hundred brands such as Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, and EyeSight, as well as HVCAM. The products affected include cameras, baby monitoring, and intelligent doorbells. Marrapese performed an Internet scan and detected more than two million vulnerable devices.
Two vulnerabilities have been identified by the researcher. One is a listing problem which allows attackers to quickly discover Internet-exposed devices, which is tracked as CVE-2019-11219. The second failure, the CVE-2019-11220, can be used to intercept connections and perform human-in – the-middle (MitM) attacks on affected devices. This enables a malicious actor to get and hijack a device password.
Marrapese said SecurityWeek can jointly use these vulnerabilities to launch mass attacks. He explained that using CVE-2019-11220 for MitM attacks requires no access of the targeted network user, but the attacker needs to have the P2P server IP address that is not difficult to obtain from the device.
“While CVE-2019-11220 specifically targets an individual device, CVE-2019-11219 can be used very quickly to find many devices. There’s nothing stopping an attacker from targeting them all at that point,” the researcher explained.
“When a user tries to connect with his camera, the P2Pserver co-ordinates the user-device connection. The CVE-2019-11220 allows an attacker to influence the connection— a user can be connected and the credentials collected instead of the device, “he said.
Since the middle of January, Marrapese has been trying to report his findings to affected vendors, but has not received an answer. He also informed Carnegie Mellon University Software Engineering Institute of the CERT Coordination Center (CERT / CC), which provided the information to China’s national CERT.
Since there are no patches, and it is unlikely that they will be released soon, Marrapese recommends that users of impacted devices discard the sensitive products and buy new ones from reputable vendors. One mitigation is to limit access to UDP port 32100, preventing access to vulnerable devices through P2P from external networks.
A list of product prefixes has been published to help users to determine whether their devices are vulnerable. The prefix is part of the serial UID number of the device and is typically printed on a product label.
Marrapese has developed proof-of-concept (PoC) exploits but does not plan to release any code to prevent abuse. He thinks it would not be easy for malicious actors to find their own vulnerabilities.
“The understanding of the P2P protocol requires moderate effort, as it is completely undocumented. While an attacker spends time learning the protocol, it is not so difficult to find out CVE-2019-11220, “he said via email. “However, I believe that it would take considerable effort to determine the details of the listing vulnerability. This, in turn, contributes to reducing the current risk of CVE-2019-11220 because an attacker must know a specific device UID to attack.
Marrapese told security blogger Brian Krebs that 39% of vulnerable devices are located in China, 19% in Europe, and 7% in the US. Almost half of them are made by the Chinese Hichip company.