Over two million IoT devices vulnerable because of P2P component flaws

Devices like IP cameras, smart doorbells, and baby monitors sold under hundreds of brands are impacted.

hichip-camera-with-uid.png

Image: Paul Marrapese

More than two million IoT devices, possibly more, are using a vulnerable P2P firmware component that allows hackers to locate and take over impacted systems.

Vulnerable devices include IP cameras, baby monitors, smart doorbells, DVRs, and many others, manufactured and sold by multiple vendors under hundreds of brands, such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, just to name a few.

What all these devices have in common is that they use iLnkP2P, a firmware component that allows the device to talk to vendors' servers via the P2P (peer-to-peer) protocol.

Earlier this year, security researcher Paul Marrapese discovered two vulnerabilities in this component --tracked under the CVE-2019-11219 and CVE-2019-11220 identifiers.

According to Marrapese, the first "allows attackers to rapidly discover devices that are online," while the second "allows attackers to intercept connections to devices and perform man-in-the-middle attacks" and "to steal the password to a device and take control of it."

Component maker did not respond to security researcher

The researcher says that the vulnerable component's maker --Chinese company Shenzhen Yunni Technology Company, Inc-- did not reply to emails notifying the company about the two security flaws.

Attempts to contact the vendor through the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and China's national Computer Emergency Response Team (CN-CERT) had also failed.

"I strongly recommend anyone dispose of vulnerable devices, but only if they cannot, they should block OUTBOUND traffic to 32100/udp," the researcher told ZDNet in an email.

Blocking traffic on UDP port 32100 will prevent attackers and botnets from exploiting the vulnerabilities remotely, although devices will remain vulnerable to exploitation attempts from the local network, but the researcher considers this a more acceptable risk.

How to spot a vulnerable device

Since there are hundreds of device brands that may use the iLnkP2P component in their firmware, on a website the researcher published this week, he listed two methods that device owners can use and see if their device might be impacted.

"Devices that use the following Android apps may be vulnerable," the researcher said:

  • HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
  • VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
  • Wanscam: E View7
  • NEO: P2PIPCAM, COOLCAMOP
  • Sricam: APCamera
  • Various: P2PCam_HD

In addition, devices that have a UID identifier listed on their labels in the format of "XXXX-123456-ABCDE," where XXXX is one of the following codes, are also impacted:

AID AJT AVA BSIP CAM
CPTCAM CTW DFT DFZ DYNE
EEEE ELSA ESN ESS EST
FFFF GCMN GGGG GKW HDT
HHHH HRXJ HVC HWAA HZD
HZDA HZDB HZDC HZDN HZDX
HZDY HZDZ IIII IPC ISRP
JWEV KSC MCI MCIHD MDI
MDIHD MEG MEYE MGA MGW
MIC MICHD MMMM MSE MSEHD
MSI MSIHD MTE MTEHD MUI
MUIHD NIP NIPHD NPC NTP
OBJ OPCS OPMS PAR PARC
PCS PHP PIO PIPCAM PIX
PNP PSD PTP QHSV ROSS
SID SIP SXH TIO TSD
UID VIO VSTD VSTF WBT
WBTHD WNS WNSC WXH WXO
XDBL XTST ZES ZLD ZSKJ
ZZZZ



The researcher's discovery isn't an isolated case. Back in October, cyber-security firm SEC Consult found similar flaws in devices manufactured by another Chinese company, which were similarly sold as white-label devices and rebranded by tens of other companies. In total, over nine million security cameras, DVRs, and NVRs were believed to be impacted by those flaws.

More vulnerability reports: