P2P Tech Is Once Again Compromising IoT Devices
And this time it’s affecting more than 2 million security cameras, baby monitors, and smart doorbells.
Join the DZone community and get the full member experience.Join For Free
The above map shows the location of the affected devices.
Last week, the investigative reporting blog Krebs on Security dropped one doozy of an IoT story: More than 2 million peer-to-peer enabled IoT devices have been found vulnerable to “eavesdropping, credential theft, and remote compromise” due to security flaws in their P2P software, iLnkP2P.
Using his own proof-of-concept scripts, security researcher Paul Marrapese discovered two critical vulnerabilities, both of which enable hackers to take advantage of the devices’ default (and unfortunately wide-open) P2P connectivity.
One, now listed as CVE-2019-11219 in the National Vulnerability Database, allows hackers to locate exploitable devices online, while the other, CVE-2019-11220, makes it possible for them to intercept user-to-device traffic in plain text.
Developed by Chinese firm Shenzhen Yuni Technology, iLnkP2P “is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software does the rest,” Krebs wrote.
Indeed, “a main selling point of P2P devices,” Marrapese explained on his website, “is that they do not require port forwarding or dynamic DNS in order to be accessed, and are capable of overcoming NAT and firewall scenarios automatically,” making them attractive choices for many consumers.
But now, the owners of millions of smart doorbells, security cameras, baby monitors, and digital video recorders are at risk of attack from around the world. Because these devices offer no authentication or encryption, and are easily enumerated, hackers can “rapidly find vulnerable cameras, then launch attacks to access them – all without the owner’s knowledge,” Marrapese said.
The owners of affected devices can hinder P2P functionality “by blocking outbound traffic to UDP port 32100,” but they’re probably better off just getting rid of them all together. “Ideally, buy a new device from a reputable vendor,” Marrapese said. “Research suggests that a fix from vendors is unlikely, and these devices are often riddled with other security problems that put their owners at risk.”
While Marrapese is careful to point out that these weaknesses are not inherent to every P2P enabled smart device, this also isn’t the first time problems with the technology have landed IoT gadgets in the news.
Back in February of last year, author Brian Krebs revealed a similar issue with Foscam security cameras. This time, a consumer lodged a complaint with the company after noticing “his IP camera was noisily and incessantly calling out to more than a dozen online hosts in almost as many countries,” which was interesting because he had no idea his device possessed default P2P connectivity in the first place.
And to make matters worse, concerned consumers learned shortly thereafter that the setting meant to disable this traffic actually did no such thing.
Because this tech is literally designed to break through firewalls, many security experts, including Krebs himself, are “baffled as to why such a well-known brand as Foscam would enable P2P communications on a product that is primarily used to monitor and secure homes and offices.”
Nicholas Weaver, a senior researcher in networking and security at the International Computer Science Institute, echoed this sentiment when he called out this P2P connectivity as “an insanely bad idea.”
“It opens up all Foscam users not only to attacks on their cameras themselves,” he explained, “but an exploit of the camera also enables further intrusions into the home network.”
And as Marrapese pointed out in his report, there are many companies that claim their IoT devices employ encryption when, in reality, they don’t at all or “do so in an insecure fashion.”
“Security cameras continue to be the oxymoron of the 21st century,” Joe Lea, vice president of product at Armis told Threatpost. “This is a perfect storm of a security exposure for an IoT device – no authentication, no encryption, near impossible upgrade path. We have to stop enabling connectivity over security – this is a defining moment in how we see lack of security for devices and lack of response.”
Only time will tell if bad press (like this) will encourage IoT vendors to make security the priority it needs to be.
Opinions expressed by DZone contributors are their own.