iLnkP2P Flaws Expose Over 2 Million IoT Devices to Remote Attacks

Millions of security cameras and other internet of things (IoT) devices were found with critical security flaws involving peer-to-peer (P2P) communications technology. The weaknesses can expose the devices to credential theft, eavesdropping, hijacking, and remote attacks.

Security researcher Paul Marrapese shared with KrebsOnSecurity the dangers of iLnkP2P, the vulnerable firmware component that is bundled with millions of IoT devices such as baby monitors, IP cameras, smart doorbells, and digital video recorders (DVRs). It allows users to access the devices remotely without having to change firewall settings. Simply put, the component allows devices to talk to vendors’ servers via the P2P protocol.

Vulnerable devices have been noted to have a special serial number known as UID, where the unique alphabetic prefix is associated with the manufacturer that produced the device. Listed prefixes identify vendors and products that use iLnkP2P. If users see their device’s prefix (typically stamped onto the bottom of the device) in the list, the device is vulnerable. Devices that use certain Android apps may also be vulnerable:

• HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
• VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
• Wanscam: E View7
• NEO: P2PIPCAM, COOLCAMOP
• Sricam: APCamera
• Various: P2PCam_HD

According to Marrapese, iLnkP2P devices have an enumeration vulnerability (assigned as CVE-2019-11219) that can allow potential attackers to easily discover devices and establish a direct connection to them while bypassing firewall restrictions. Notably, iLnkP2P devices offer no authentication or encryption.

Devices that have the component in question are also vulnerable to an authentication vulnerability (CVE-2019-11220) that allows for stealing device passwords and eventually the takeover of affected devices. The former vulnerability targets individual devices, while the latter can be used to find many devices.

Marrapese built a proof-of-concept (PoC) script that identified upwards of two million vulnerable devices across the world. He found 39% of vulnerable IoT devices were located in China, 19% in Europe, and 7% in the United States. His PoC attack can steal passwords from affected devices and also abuse a built-in “heartbeat” feature that IoT devices can use to declare their presence in networks. An attacker with a valid device UID can send spoofed heartbeat messages to the network and render those actually sent by the device useless. Interestingly, an attacker guessing passwords may not always come into play as many users run default credentials in their devices, making it easier for an attack to take place.

Securing IoT devices from vulnerabilities and remote attacks

Marrapese’s research suggests that vendors may find it difficult to remediate the aforementioned vulnerabilities. For one thing, changing device UIDs is infeasible, therefore software-based remediation could be unlikely. Patches are also currently unavailable. The researcher points out that even if vendors provide security updates, some users are unlikely to update their device firmware. Moreover, thorough device recalls may not be logistically possible.

[RELATED BLOG: UPnP-enabled Connected Devices in the Home and Unpatched Known Vulnerabilities]

There is no straightforward way to turn off the P2P functionality in devices. IoT devices can also use the Universal Plug and Play (UPnP) feature built in hardware-based routers to change certain settings. Users can consider disabling UPnP, but doing so limits some functionalities, such as local device discovery dependencies and device requests.

[Securing Smart Homes: Tips and Tricks on How to Set Up Devices for Security]

If devices are confirmed to be vulnerable, it is recommended that devices should be altogether replaced with ones from reputable vendors that regularly provide security updates and patches for discovered vulnerabilities. If disposing the vulnerable device is not possible, setting up firewall rules that block outbound traffic to UDP port 32100 can decrease the risk related to P2P functions. This does not prevent local access via P2P, but it will intercept external networks from accessing the devices.