In P2P-componet of iLnkP2P that is produced by Chinese Shenzen Yunni Technology Company, Inc. discovered vulnerabilities that enable remote compromising of devices from “Internet of things”.In the risk zone are millions of devices, including IP-cameras, baby monitors, “smart” door locks, video recorders and many other gadgets that are produced and sold by several retailers under hundreds of brand names as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight and HVCAM etc.
iLnkP2P allows remotely connect to IoT-devices with the use of mobile phone or computer.
Vulnerabilities were found by independent expert in cybersecurity Paul Marrapese. According to his words, on the Internet are currently available about two million of devices, with 39% of them locating in China, 19% – in Europe, 7% – in US. Approximately 50% of all vulnerable gadgets are produced by Chinese Hichip company.
First vulnerability (CVE-2019-11219) enables intruder to identify sensitive device, while the second vulnerability (CVE-2019-11220) – intercept connection with the gadget and perform “man-in-the-middle” attack. With the use of both bugs simultaneously, intruder will be able steal passwords and remotely compromise devices. For doing so, he would only need to know IP-address of P2P-server that uses device.
Marrapese developed PoC-code that allows obtaining password, exploiting inbuilt “heartbeat” function, though decided not to publish it due to security reasons.
“With connection to Internet iLnkP2P devices regularly send heartbeat-messages to P2P –server and wait for further instruction. Server redirects request about connection to the source of the most recent heartbeat-message. Having current UID of the device, attacker can send fake heartbeat-messages that would substitute real messages that sends the device. With connection majority of clients authorize as administrator, that opens for the attacker precious gadgets’ data”, – explained expert.
Marrapese tried to cooperate with producers of vulnerable devices in January 2019, but any single vendor did not response his messages. Considering this, instant release of patches cannot be expected. Researcher recommends avoid using vulnerable products or limit access to UDP 32100 port for prevention of external connections through P2P. List of vulnerable devices can be find here.