A P2P (peer-to-peer) technology ingrained in millions of IoT (Internet of Things) devices, including security cameras, smart doorbells, baby monitors and video recorders, has many security flaws that allow them to be compromised easily, exposing users to dangers from eavesdropping, credential theft and takeovers from remote locations.
KrebsOnSecurity reported the dangers are involved with iLnkP2P, a Chinese software from Shenzhen Yunni Technology. iLnkP2P, which is designed to allow device owners to easily access them from any location, is built into millions of IoT devices.
The tech is designed to access a firewall without altering it – a user will just download an app and either scan a barcode or enter a six-digit number on the device.
Paul Marrapese, a KrebsOnSecurity researcher, identified upwards of two million vulnerable devices all over the world, with 39 percent in China, 19 percent in Europe and 7 percent in the United States.
He also built a proof-of-concept attack that can compromise passwords from these devices using what is called a “heartbeat” feature, where the device sends a regular message to a preconfigured P2P server as if to say, “Here I am.”
“A P2P server will direct connection requests to the origin of the most recently received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”
Also, many of these devices operate in their factory settings, which is a default password. Code in the firmware and software in these IoT devices can be old, rife with vulnerabilities and easily compromised.
Marrapese said there is not really a solution to the problem other than purchasing a vulnerable device.
“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”
Marrapese listed the affected security cameras here.