Over 2 million IP security cameras, baby monitors and smart doorbells have serious vulnerabilities that could enable an attacker to hijack the devices and spy on their owners — and there’s currently no known patch for the shared flaws.
The attack stems from peer-to-peer (P2P) communication technology in all of these Internet of Things (IoT) devices, which allows them to be accessed without any manual configuration. The particular P2P solution that they use, iLnkP2P, is developed by Shenzhen Yunni Technology and contains two vulnerabilities that could allow remote hackers to find and take over vulnerable cameras used in the devices.
“Over 2 million vulnerable devices have been identified on the internet, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM,” said Paul Marrapese, a security engineer who discovered the flaws, in a post last week. “Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.”
The first iLnkP2P bug is an enumeration vulnerability (CVE-2019-11219), which enables attackers to discover exploitable devices that are online. The second is an authentication vulnerability (CVE-2019-11220) that allows remote attackers to intercept user-to-device traffic in cleartext, including video streams and device credentials.
IoT device users can discover if they are impacted by looking at their device’s UID, which is its unique identifier. The first prefix part of a UID indicates exploitability: For instance, devices with the FFFF prefix are among those that are vulnerable. A list of all the prefixes that are known to be vulnerable is available in the image to the left.
Marrapese said that he sent an initial advisory to device vendors regarding the security issues Jan. 15; and an advisory to the developers of iLnkP2P on Feb. 4, once he was able to identify them. He said that he has not received any responses despite multiple attempts at contact. The vulnerabilities were publicly disclosed April 24.
If consumers are impacted, they should block outbound traffic to UDP port 32100, which prevents devices from being accessed from external networks through P2P. However, Marrapese said the main step users could take is to buy a new device.
“Ideally, buy a new device from a reputable vendor,” he said. “Research suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk.”
It’s hardly the first security issue in security and surveillance cameras, which hold sensitive data and video footage ripe for the taking for hackers.
In July, IoT camera maker Swann patched a flaw in its connected cameras that would allow a remote attacker to access their video feeds. And in September up to 800,000 IP-based closed-circuit television cameras were vulnerable to a zero-day vulnerability that could have allowed hackers to access surveillance cameras, spy on and manipulate video feeds, or plant malware.
“Security cameras continue to be the oxymoron of the 21st century,” Joe Lea, vice president of product at Armis, in an email. “This is a perfect storm of a security exposure for an IoT device – no authentication, no encryption, near impossible upgrade path. We have to stop enabling connectivity over security – this is a defining moment in how we see lack of security for devices and lack of response.”
In a comment to Threatpost, Marrapese said that vendors have a big part to play when it comes to doing more to secure their connected devices.
“Vendors need to stop relying on ‘security through obscurity,'” he said. “The use of deterrents is not sufficient; vendors need to develop serious application security practices.”