More than two million IoT devices, possibly more, are using a vulnerable P2P firmware component that allows hackers to locate and take over impacted systems.
Vulnerable devices include IP cameras, baby monitors, smart doorbells, DVRs, and many others, manufactured and sold by multiple vendors under hundreds of brands, such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, just to name a few.
What all these devices have in common is that they use iLnkP2P, a firmware component that allows the device to talk to vendors’ servers via the P2P (peer-to-peer) protocol.
Earlier this year, security researcher Paul Marrapese discovered two vulnerabilities in this component –tracked under the CVE-2019-11219 and CVE-2019-11220 identifiers.
According to Marrapese, the first “allows attackers to rapidly discover devices that are online,” while the second “allows attackers to intercept connections to devices and perform man-in-the-middle attacks” and “to steal the password to a device and take control of it.”
Component maker did not respond to security researcher
The researcher says that the vulnerable component’s maker –Chinese company Shenzhen Yunni Technology Company, Inc– did not reply to emails notifying the company about the two security flaws.
Attempts to contact the vendor through the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University and China’s national Computer Emergency Response Team (CN-CERT) had also failed.
Because there are no firmware patches available, Marrapese recommends that customers use a firewall to filter incoming traffic over UDP port 32100, the one used by the vulnerable iLnkP2P component.
This will prevent attackers and botnets from exploiting the vulnerabilities remotely, although devices will remain vulnerable to exploitation attempts from the local network, but the researcher considers this a more acceptable risk.
How to spot a vulnerable device
Since there are hundreds of device brands that may use the iLnkP2P component in their firmware, on a website the researcher published this week, he listed two methods that device owners can use and see if their device might be impacted.
“Devices that use the following Android apps may be vulnerable,” the researcher said:
- HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
- VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
- Wanscam: E View7
- NEO: P2PIPCAM, COOLCAMOP
- Sricam: APCamera
- Various: P2PCam_HD
In addition, devices that have a UID identifier listed on their labels in the format of “XXXX-123456-ABCDE,” where XXXX is one of the following codes, are also impacted:
Marrapese also recommends, if possible, that device owners replace any of these vulnerable devices.
The researcher’s discovery isn’t an isolated case. Back in October, cyber-security firm SEC Consult found similar flaws in devices manufactured by another Chinese company, which were similarly sold as white-label devices and rebranded by tens of other companies. In total, over nine million security cameras, DVRs, and NVRs were believed to be impacted by those flaws.
More vulnerability reports: