Security Flaws in P2P Leave IoT Devices Vulnerable

Written by

Malicious actors could exploit critical security vulnerabilities in a peer-to-peer (P2P) communications technology used across millions of internet of things (IoT) devices, according to research first reported by KrebsonSecurity.

Security researcher Paul Marrapese initially reported the vulnerabilities to the device vendor on January 15, 2019, but received no response. Nor did the vendor respond to the second or third advisory notices with intent to disclose. After three months, the critical flaws were publicly disclosed on April 24.

Developed by Shenzhen Yunni Technology Company Inc., Ltd., iLnkP2P is one of several communications technology solutions often used by device manufacturers, according to Marrapese, adding that the vulnerabilities are specific to devices using the iLnkP2P solution.

On April 26, Marrapese published a blog in which he listed the prefixes of devices that are known to be vulnerable. Warning users that hackers could exploit the P2P connection and access IoT devices, including security cameras, without the owner’s knowledge, Marrapese wrote:

Over 2 million vulnerable devices have been identified on the Internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.

Marrapese also tweeted: “Millions of security cameras, baby monitors, and 'smart' doorbells have serious vulnerabilities that allow hackers to spy on their owners.”

Even if devices encrypt traffic, Marrapese said they are likely not free from the risk of being exploited. “Analysis of a wide range of devices has suggested that most devices do not employ encryption at all, or do so in an insecure fashion. Some vendors (notably VStarcam) have gone as far as outright lying about their use of encryption.”

What’s hot on Infosecurity Magazine?