30/04/2019

IoT security flaws: 2 Million devices affected

2 Million devices affected Warning

What happened?

In all, there are two security flaws in iLnkP2P. One of them allows an attacker to connect to an arbitrary device. The other puts unauthorized users in a position to steal access data to the device and to take full control. This is a problem, especially if an affected webcam is placed in an area such as a child’s room or your bedroom.

Many smart devices make use of ready-made „off the shelf“ components. Part of those components is a communication technology for P2P communication which is to ensure smooth and hassle-free communication between devices. One of those readymade solutions is called iLnkP2P, made by a company called Shenzen Yunni Technologies. Sourcing components from external suppliers is a common practice in many industries. For instance, car makers often purchase certain component groups such as wiring harnesses from external suppliers. As a consequence, any issues with a component made by a certain supplier affect multiple vendors. Among those affected by the security flaws are names like VStarcam, Eye Sight and HiChip. Listing all affected vendors would be „difficult“, though, as Paul Marrapese, who discovered the security flaws, stated in a blog article.

The manner in which this incident was handled by the supplier is not acceptable. To refuse to communicate about issues like this with researchers sends a signal that is not only damaging for the company itself but also the customers that they provide solutions for. A lot of things could have - and should have - been handled differently in this case. Incidents such as this one have the capacity to thoroughly undermine the trust of users both in technologies and vendors to a very high degree.

Tim Berghoff

Security Evangelist, G DATA

No reaction

At this point, a fix is not in sight – and is unlikely that there will be one any time soon, given that the supplier of iLnkP2P has not reacted to several attempts to get in contact with them. The researcher has then made the vulnerabilities public after three months.

Mitigation & Countermeasures

There is one way to find out whether a device is affected by the issues described here. On a sticker that is usually located on the under- or backside of a device, you will find a so-called UID. Based in the first three to five characters, it is possible to ascertain whether the device is susceptible to attacks using this vulnerability. A list with known affected UIDs can be found at https://hacked.camera/.

There are only few effective mitigation strategies. One of them consists of blocking certain types of traffic (UDP at port 32100) using a firewall. The most effective measure is to replace an affected device with one from a reputable vendor.