Recently, researchers discovered millions of IoT devices was affected due to P2P vulnerabilities. Read on to know more about the latest IoT vulnerabilities…
Recently, researchers discovered millions of IoT devices was affected due to P2P vulnerabilities. The security vulnerabilities found in a software component powering these IoT devices, could have allowed hackers to perpetrate credential thefts, eavesdropping, and remote attacks. An analysis by a security researcher has shown multiple vulnerabilities existing in millions of IoT devices.
Paul Marrapese, a California-based security engineer, discovered two serious flaws in iLnkP2P, a system developed by Chinese firm Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution that makes it easier for users to connect to their IoT devices from their phone or computer.
According to Paul Marrapese, the security vulnerabilities were found in a software program called iLnkP2P which powers numerous IoT devices. iLnkP2P is meant for users to remotely access their IoT devices all with the help of a mobile app. Devices with this software lacked authentication or any form of encryption. iLnkP2P-based IoT devices had no authentication or encryption allowing attackers to have a direct connection with these devices. HiChip, a Chinese IoT vendor accounted for half the vulnerable devices.
The security researcher Marrapese discovered that the IoT devices could also be enumerated with their IDs provided attackers learned of the unique alphabetic prefixes brought out by the device manufacturers. He identified over two million devices across the world that contained P2P vulnerabilities. In addition, a Proof-of-Concept (PoC) attack created by Marrapese could steal passwords from these vulnerable devices by exploiting an in-built ‘heartbeat’ feature.
“It takes moderate effort to understand the P2P protocol, as it is entirely undocumented. If an attacker spends time learning the protocol, CVE-2019-11220 is not terribly difficult to figure out,” he said via email. “However, I believe figuring out the details of the enumeration vulnerability would take considerable effort. In turn, this does help reduce the present risk of CVE-2019-11220 because an attacker would have to know a specific device UID to attack it.”
IoT device users can discover if they are impacted by looking at their device’s UID, which is its unique identifier. The first prefix part of a UID indicates exploitability: For instance, devices with the FFFF prefix are among those that are vulnerable. A list of all the prefixes that are known to be vulnerable is available in the image to the left.
Marrapese told security blogger Brian Krebs that 39% of the vulnerable devices are located in China, 19% in Europe, and 7% in the United States. Nearly half of them are made by Chinese company Hichip.
The security researcher highlighted how the ‘heartbeat’ feature could be abused to retrieve passwords.
“Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device,” Marrapese told Krebs On Security.
While Marrapese has contacted iLnk, HiChip and other manufacturers of the affected devices, none of them offered a response and has yet to acknowledge the issue.