Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Peer-to-Peer Vulnerability Exposes Millions of IoT Devices

A flaw in the software used to remotely access cameras and monitoring devices could allow hackers to easily take control of millions of pieces of the IoT.

Software intended to help homeowners be more secure may deliver their security devices into the hands of hackers. That's the conclusion of research conducted into a variety of IoT devices. 

In a blog post, researcher Paul Marrapese describes the flaw in the peer-to-peer (P2P) functionality of software named iLnkP2P, software developed by Shenzhen Yunni Technology, a Chinese vendor of security cameras, webcams, and other internet-of-things (IoT) monitoring devices.

The software is intended to allow device owners to view footage and monitor activity from their smart devices on the Internet. However, Marrapese found that the software requires no authentication and no encryption; a vulnerability given CVE-2019-11220.

A blog post at Krebs on Security includes a map showing that the largest percentage (39%) of affected devices are in China, with 19% in Europe, 7% in the U.S, and the rest scattered around the globe. And while the software was developed by Shenzhen Yunni Technology, scores of different vendors and product lines use the application.

According to Marrapese, the vulnerability exists because of the "heartbeat" that many P2P apps use to establish communications with their control servers. This heartbeat will establish a link with the server, bypassing most firewall restrictions on links initiated from outside the local network to a device on the inside. If an attacker is able to enumerate the device (guess the correct UID) based on a known alphabetic prefix and six-digit number, it can use that to establish a direct connection to the device and then own the device for any number of malicious purposes. The ease with which the enumeration can be performed on these devices is described in CVE-2019-11219.

Those malicious purposes may extend beyond simple botnet recruitment or criminal purposes. Adam Meyers, vice president of intelligence at CrowdStrike, points out larger possibilities: "Given the aggressive use by the government of the People's Republic of China of facial recognition and AI to aid in law enforcement and against political dissidents, anyone using low cost IOT devices communicating back to China should be cautious about how and where they implement this technology."

"Most IoT devices don’t allow consumers access to modify security settings as they are set by the manufacturer," says Terence Jackson, CISO at Thycotic. "With the proliferation of IoT, consumers need to demand better security from manufacturers and should exercise due diligence before purchasing and connecting these devices to their networks."

That "better security" is a feature that most manufacturers in the IoT have yet to adopt, according to Colin Bastable, CEO of Lucy Security. "Security is rarely built into the plan, because convenience, easy deployment, and rapid adoption are essentials, whereas secure code is not even regarded as a 'nice to have.'"

And the focus on convenience actually works against security, Bastable maintains. "Convenience and insecurity have a symbiotic relationship: there is a strong case for teaching consumers of all ages the basics of security and the risks of fast deployment."

While it's the manufacturer's responsibility to build better security into devices, they are unlikely to do so without a push from consumers. "Until consumers demand better security around their IoT devices, manufacturers won't have as much of an incentive to build more secure products," says Nathan Wenzler, senior director of cybersecurity at Moss Adams. And the lack of incentive will have consequences.

"While some companies are getting the message and even building entire messaging strategies around having more secure offerings, the market dictates speed over security, and so we should expect to see more of these kinds of issues in the future, exposing customers and their families to whoever uses these vulnerabilities."

As for this vulnerability, Marrapese writes that it's impossible for consumers to disable the vulnerable software on most of these devices. The only real option for these, he writes, is to block outbound traffic on UDP port 32100, as that will prevent the P2P software from contacting its server. Better still, he recommends not purchasing any device that features P2P communications as part of its application suite.

Related content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Considerations for Seamless CCPA Compliance
Anurag Kahol, CTO, Bitglass,  7/2/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12421
PUBLISHED: 2020-07-09
When performing add-on updates, certificate chains terminating in non-built-in-roots were rejected (even if they were legitimately added by an administrator.) This could have caused add-ons to become out-of-date silently without notification to the user. This vulnerability affects Firefox ESR < 6...
CVE-2020-12422
PUBLISHED: 2020-07-09
In non-standard configurations, a JPEG image created by JavaScript could have caused an internal variable to overflow, resulting in an out of bounds write, memory corruption, and a potentially exploitable crash. This vulnerability affects Firefox < 78.
CVE-2020-12423
PUBLISHED: 2020-07-09
When the Windows DLL "webauthn.dll" was missing from the Operating System, and a malicious one was placed in a folder in the user's %PATH%, Firefox may have loaded the DLL, leading to arbitrary code execution. *Note: This issue only affects the Windows operating system; other operating sys...
CVE-2020-12425
PUBLISHED: 2020-07-09
Due to confusion processing a hyphen character in Date.parse(), a one-byte out of bounds read could have occurred, leading to potential information disclosure. This vulnerability affects Firefox < 78.
CVE-2020-12426
PUBLISHED: 2020-07-09
Mozilla developers and community members reported memory safety bugs present in Firefox 77. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. This vulnerability affects Firefox < 78.