Peer-to-Peer Vulnerability Exposes Millions of IoT Devices

  /     /     /  
Publicated : 23/11/2024   Category : security


Peer-to-Peer Vulnerability Exposes Millions of IoT Devices


A flaw in the software used to remotely access cameras and monitoring devices could allow hackers to easily take control of millions of pieces of the IoT.



Software intended to help homeowners be more secure may deliver their security devices into the hands of hackers. Thats the conclusion of research conducted into a variety of IoT devices. 
In a
blog post
, researcher Paul Marrapese describes the flaw in the peer-to-peer (P2P) functionality of software named iLnkP2P, software developed by Shenzhen Yunni Technology, a Chinese vendor of security cameras, webcams, and other internet-of-things (IoT) monitoring devices.
The software is intended to allow device owners to view footage and monitor activity from their smart devices on the Internet. However, Marrapese found that the software requires no authentication and no encryption; a vulnerability given
CVE-2019-11220
.
A
blog post
at Krebs on Security includes a map showing that the largest percentage (39%) of affected devices are in China, with 19% in Europe, 7% in the U.S, and the rest scattered around the globe. And while the software was developed by Shenzhen Yunni Technology, scores of different vendors and product lines use the application.
According to Marrapese, the vulnerability exists because of the heartbeat that many P2P apps use to establish communications with their control servers. This heartbeat will establish a link with the server, bypassing most firewall restrictions on links initiated from outside the local network to a device on the inside. If an attacker is able to enumerate the device (guess the correct UID) based on a known alphabetic prefix and six-digit number, it can use that to establish a direct connection to the device and then own the device for any number of malicious purposes. The ease with which the enumeration can be performed on these devices is described in
CVE-2019-11219
.
Those malicious purposes may extend beyond simple botnet recruitment or criminal purposes. Adam Meyers, vice president of intelligence at CrowdStrike, points out larger possibilities: Given the aggressive use by the government of the Peoples Republic of China of facial recognition and AI to aid in law enforcement and against political dissidents, anyone using low cost IOT devices communicating back to China should be cautious about how and where they implement this technology.
Most IoT devices don’t allow consumers access to modify security settings as they are set by the manufacturer, says Terence Jackson, CISO at Thycotic. With the proliferation of IoT, consumers need to demand better security from manufacturers and should exercise due diligence before purchasing and connecting these devices to their networks.
That better security is a feature that most manufacturers in the IoT have yet to adopt, according to Colin Bastable, CEO of Lucy Security. Security is rarely built into the plan, because convenience, easy deployment, and rapid adoption are essentials, whereas secure code is not even regarded as a nice to have.
And the focus on convenience actually works against security, Bastable maintains. Convenience and insecurity have a symbiotic relationship: there is a strong case for teaching consumers of all ages the basics of security and the risks of fast deployment.
While its the manufacturers responsibility to build better security into devices, they are unlikely to do so without a push from consumers. Until consumers demand better security around their IoT devices, manufacturers wont have as much of an incentive to build more secure products, says Nathan Wenzler, senior director of cybersecurity at Moss Adams. And the lack of incentive will have consequences.
While some companies are getting the message and even building entire messaging strategies around having more secure offerings, the market dictates speed over security, and so we should expect to see more of these kinds of issues in the future, exposing customers and their families to whoever uses these vulnerabilities.
As for this vulnerability, Marrapese writes that its impossible for consumers to disable the vulnerable software on most of these devices. The only real option for these, he writes, is to block outbound traffic on UDP port 32100, as that will prevent the P2P software from contacting its server. Better still, he recommends not purchasing any device that features P2P communications as part of its application suite.
Related content:
Why We Need a Cleaner Internet
How iOS App Permissions Open Holes for Hackers
7 Malware Families Ready to Ruin Your IoTs Day
New Mirai Version Targets Business IoT Devices
IoT Anomaly Detection 101: Data Science to Predict the Unexpected
 
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Peer-to-Peer Vulnerability Exposes Millions of IoT Devices