More than two million IoT devices, possibly more, are using a vulnerable P2P firmware component that allows hackers to locate and take over impacted systems.
Vulnerable devices include IP cameras, baby monitors, smart doorbells, DVRs, and many others, manufactured and sold by multiple vendors under hundreds of brands, such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, just to name a few.
What all these devices have in common is that they use iLnkP2P, a firmware component that allows the device to talk to vendors' servers via the P2P (peer-to-peer) protocol.
Earlier this year, security researcher Paul Marrapese discovered two vulnerabilities in this component --tracked under the CVE-2019-11219 and CVE-2019-11220 identifiers.
According to Marrapese, the first "allows attackers to rapidly discover devices that are online," while the second "allows attackers to intercept connections to devices and perform man-in-the-middle attacks" and "to steal the password to a device and take control of it."
Component maker did not respond to security researcher
The researcher says that the vulnerable component's maker --Chinese company Shenzhen Yunni Technology Company, Inc-- did not reply to emails notifying the company about the two security flaws.
Attempts to contact the vendor through the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and China's national Computer Emergency Response Team (CN-CERT) had also failed.
"I strongly recommend anyone dispose of vulnerable devices, but only if they cannot, they should block OUTBOUND traffic to 32100/udp," the researcher told ZDNet in an email.
Blocking traffic on UDP port 32100 will prevent attackers and botnets from exploiting the vulnerabilities remotely, although devices will remain vulnerable to exploitation attempts from the local network, but the researcher considers this a more acceptable risk.
How to spot a vulnerable device
Since there are hundreds of device brands that may use the iLnkP2P component in their firmware, on a website the researcher published this week, he listed two methods that device owners can use and see if their device might be impacted.
"Devices that use the following Android apps may be vulnerable," the researcher said:
- HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
- VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
- Wanscam: E View7
- NEO: P2PIPCAM, COOLCAMOP
- Sricam: APCamera
- Various: P2PCam_HD
In addition, devices that have a UID identifier listed on their labels in the format of "XXXX-123456-ABCDE," where XXXX is one of the following codes, are also impacted:
|ZZZZ|| || || || |
The researcher's discovery isn't an isolated case. Back in October, cyber-security firm SEC Consult found similar flaws in devices manufactured by another Chinese company, which were similarly sold as white-label devices and rebranded by tens of other companies. In total, over nine million security cameras, DVRs, and NVRs were believed to be impacted by those flaws.
More vulnerability reports:
- Mobile app used in Car2go fraud scheme to steal 100 vehicles
- Security flaw lets attackers recover private keys from Qualcomm chips
- New Oracle WebLogic zero-day discovered in the wild
- Nokia 9 buggy update lets anyone bypass fingerprint scanner with a pack of gum
- Microsoft loses control over Windows Tiles subdomain
- KRACK attack: Here's how companies are responding CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic