A security researcher has discovered severe flaws in an Internet of Things (IoT) software feature called iLnkP2P, which renders the millions of consumer devices using it vulnerable to remote discovery and hijack.
Publicised by Paul Marrapese, neither iLnkP2P nor the Chinese company that developed it, Shenzhen Yunni Technology, will be familiar names to the people buying the products containing it.
Despite this, iLnkP2P was identified in at least two million devices made by companies including HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.
The software’s purpose is to allow IoT devices such as security webcams, baby monitors, and smart doorbells to be configured quickly without having to know how to open ports in a broadband router’s firewall.
Instead, consumers can power on their new device and instantly connect to it in peer-to-peer (P2P) fashion using an app on their computer by entering a Unique Identifier (UID). Nice and easy to use but not, it turns out, a good architecture from a security point of view.
The flaws
The main iLnkP2P flaw is CVE-2019-11220, which for understandable reasons Marrapese doesn’t dwell on but he says allows attackers to carry out man-in-the-middle attacks and steal device passwords on the way to a device takeover.
Another flaw, CVE-2019-11219, allows attackers to discover which devices are vulnerable to the above weakness and reach out to them even when they’re on the other side of an apparently secure firewall using Network Address Translation (NAT).
Most of the devices don’t appear to use encryption. Marrapese even accuses one vendor of lying about the encryption they use.
Any device using iLnkP2P is at risk. The easiest way to determine whether a device is using this is to look for the UID printed on a sticker on the side of the device (which corresponds to the first three of the four letters). This can then be checked against the list of 91 known UIDs published by Marrapese.
However, this list isn’t exhaustive – there could be further devices not listed that are using iLnkP2P and have different UIDs.
Fixing the hole
For owners of these devices, there don’t appear to be many mitigations beyond manually blocking the software’s UDP port, 32100. This will allow local access while blocking remote traffic. Alternatively, writes Marrapese:
Buy a new device from a reputable vendor. Research suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk.
Sure enough, when Marrapese contacted the affected makers several times between January and February, he heard nothing back.
And that’s the thing about so many IoT devices, especially ones made cheaply and quickly by manufacturers who seem more concerned with shifting units than worrying about aftersales. The fact that a flaw exists – and a big flaw at that – has no bearing on whether it will ever be patched.
Pessimistic perhaps but it’s a fundamental issue. Anyone buying a product that can’t or won’t be updated is buying something with a very short life expectancy.
It’s sometimes said that users don’t care enough about security to take action in their own interests but it’s hard to believe that anyone buying a webcam trained on the inside of their house would be happy at the thought of cybercriminals taking control of it.
This follows a wearying series of IoT security scares, including that many of the apps used to control these devices have security weaknesses of their own.
Nobody_Holme
Sir Samuel Vimes’ theory of boots applies.
For those who do not get the reference:
A rich man buys a good pair of leather soled boots, and keeps it for 20 years.
A poor man buys paper soles boots for far less, but has to replace them every six months.
At the end of 20 years, the poor man has spent more on boots than the rich man, and had blisters.
Moral: having the money to spend more on a good product saves you money in the long run.
Relevance: buy the good quality branded camera, not the cheap one available from some random company with two 5 star reviews on Amazon, or you’ll have security blisters.
Max P
Hello–I noticed that this article uses CVE-2019-11220 to describe what should read CVE-2019-11219 beneath the heading entitled “The flaws.” Both are clickable links and lead to the CVE page for 11220, and the page for 11219 is missing.
Paul Ducklin
Fixed, thanks!
Jasper Smith
CVE links are to the same vulnerability
Paul Ducklin
Fixed, thanks! (The CVE numbers in the text were wrong and the links just followed that text.)
Anonymous
“concerned with shifting units”
Shipping?
Paul Ducklin
“Shift” in the sense of “pile ‘em high and sell ‘em quick” – so it covers order-build-supply-sell.