Tech

Over two million IoT devices vulnerable because of P2P component flaws

Devices like IP cameras, smart doorbells, and baby monitors sold under hundreds of brands are impacted.

Written by Catalin Cimpanu, Contributor April 26, 2019 at 1:14 p.m. PT

See als

10 dangerous app vulnerabilities to watch out for (free PDF)

More than two million IoT devices, possibly more, are using a vulnerable P2P firmware component that allows hackers to locate and take over impacted systems.

Vulnerable devices include IP cameras, baby monitors, smart doorbells, DVRs, and many others, manufactured and sold by multiple vendors under hundreds of brands, such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, just to name a few.

What all these devices have in common is that they use iLnkP2P, a firmware component that allows the device to talk to vendors' servers via the P2P (peer-to-peer) protocol.

Earlier this year, security researcher Paul Marrapese discovered two vulnerabilities in this component --tracked under the CVE-2019-11219 and CVE-2019-11220 identifiers.

According to Marrapese, the first "allows attackers to rapidly discover devices that are online," while the second "allows attackers to intercept connections to devices and perform man-in-the-middle attacks" and "to steal the password to a device and take control of it."

Component maker did not respond to security researcher

The researcher says that the vulnerable component's maker --Chinese company Shenzhen Yunni Technology Company, Inc-- did not reply to emails notifying the company about the two security flaws.

Attempts to contact the vendor through the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and China's national Computer Emergency Response Team (CN-CERT) had also failed.

"I strongly recommend anyone dispose of vulnerable devices, but only if they cannot, they should block OUTBOUND traffic to 32100/udp," the researcher told ZDNet in an email.

Blocking traffic on UDP port 32100 will prevent attackers and botnets from exploiting the vulnerabilities remotely, although devices will remain vulnerable to exploitation attempts from the local network, but the researcher considers this a more acceptable risk.

How to spot a vulnerable device

Since there are hundreds of device brands that may use the iLnkP2P component in their firmware, on a website the researcher published this week, he listed two methods that device owners can use and see if their device might be impacted.

"Devices that use the following Android apps may be vulnerable," the researcher said:

HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
Wanscam: E View7
NEO: P2PIPCAM, COOLCAMOP
Sricam: APCamera
Various: P2PCam_HD

In addition, devices that have a UID identifier listed on their labels in the format of "XXXX-123456-ABCDE," where XXXX is one of the following codes, are also impacted:

AID	AJT	AVA	BSIP	CAM
CPTCAM	CTW	DFT	DFZ	DYNE
EEEE	ELSA	ESN	ESS	EST
FFFF	GCMN	GGGG	GKW	HDT
HHHH	HRXJ	HVC	HWAA	HZD
HZDA	HZDB	HZDC	HZDN	HZDX
HZDY	HZDZ	IIII	IPC	ISRP
JWEV	KSC	MCI	MCIHD	MDI
MDIHD	MEG	MEYE	MGA	MGW
MIC	MICHD	MMMM	MSE	MSEHD
MSI	MSIHD	MTE	MTEHD	MUI
MUIHD	NIP	NIPHD	NPC	NTP
OBJ	OPCS	OPMS	PAR	PARC
PCS	PHP	PIO	PIPCAM	PIX
PNP	PSD	PTP	QHSV	ROSS
SID	SIP	SXH	TIO	TSD
UID	VIO	VSTD	VSTF	WBT
WBTHD	WNS	WNSC	WXH	WXO
XDBL	XTST	ZES	ZLD	ZSKJ
ZZZZ

The researcher's discovery isn't an isolated case. Back in October, cyber-security firm SEC Consult found similar flaws in devices manufactured by another Chinese company, which were similarly sold as white-label devices and rebranded by tens of other companies. In total, over nine million security cameras, DVRs, and NVRs were believed to be impacted by those flaws.