Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Peer-to-Peer Vulnerability Exposes Millions of IoT Devices

A flaw in the software used to remotely access cameras and monitoring devices could allow hackers to easily take control of millions of pieces of the IoT.

Software intended to help homeowners be more secure may deliver their security devices into the hands of hackers. That's the conclusion of research conducted into a variety of IoT devices. 

In a blog post, researcher Paul Marrapese describes the flaw in the peer-to-peer (P2P) functionality of software named iLnkP2P, software developed by Shenzhen Yunni Technology, a Chinese vendor of security cameras, webcams, and other internet-of-things (IoT) monitoring devices.

The software is intended to allow device owners to view footage and monitor activity from their smart devices on the Internet. However, Marrapese found that the software requires no authentication and no encryption; a vulnerability given CVE-2019-11220.

A blog post at Krebs on Security includes a map showing that the largest percentage (39%) of affected devices are in China, with 19% in Europe, 7% in the U.S, and the rest scattered around the globe. And while the software was developed by Shenzhen Yunni Technology, scores of different vendors and product lines use the application.

According to Marrapese, the vulnerability exists because of the "heartbeat" that many P2P apps use to establish communications with their control servers. This heartbeat will establish a link with the server, bypassing most firewall restrictions on links initiated from outside the local network to a device on the inside. If an attacker is able to enumerate the device (guess the correct UID) based on a known alphabetic prefix and six-digit number, it can use that to establish a direct connection to the device and then own the device for any number of malicious purposes. The ease with which the enumeration can be performed on these devices is described in CVE-2019-11219.

Those malicious purposes may extend beyond simple botnet recruitment or criminal purposes. Adam Meyers, vice president of intelligence at CrowdStrike, points out larger possibilities: "Given the aggressive use by the government of the People's Republic of China of facial recognition and AI to aid in law enforcement and against political dissidents, anyone using low cost IOT devices communicating back to China should be cautious about how and where they implement this technology."

"Most IoT devices don’t allow consumers access to modify security settings as they are set by the manufacturer," says Terence Jackson, CISO at Thycotic. "With the proliferation of IoT, consumers need to demand better security from manufacturers and should exercise due diligence before purchasing and connecting these devices to their networks."

That "better security" is a feature that most manufacturers in the IoT have yet to adopt, according to Colin Bastable, CEO of Lucy Security. "Security is rarely built into the plan, because convenience, easy deployment, and rapid adoption are essentials, whereas secure code is not even regarded as a 'nice to have.'"

And the focus on convenience actually works against security, Bastable maintains. "Convenience and insecurity have a symbiotic relationship: there is a strong case for teaching consumers of all ages the basics of security and the risks of fast deployment."

While it's the manufacturer's responsibility to build better security into devices, they are unlikely to do so without a push from consumers. "Until consumers demand better security around their IoT devices, manufacturers won't have as much of an incentive to build more secure products," says Nathan Wenzler, senior director of cybersecurity at Moss Adams. And the lack of incentive will have consequences.

"While some companies are getting the message and even building entire messaging strategies around having more secure offerings, the market dictates speed over security, and so we should expect to see more of these kinds of issues in the future, exposing customers and their families to whoever uses these vulnerabilities."

As for this vulnerability, Marrapese writes that it's impossible for consumers to disable the vulnerable software on most of these devices. The only real option for these, he writes, is to block outbound traffic on UDP port 32100, as that will prevent the P2P software from contacting its server. Better still, he recommends not purchasing any device that features P2P communications as part of its application suite.

Related content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.