Story image

Security alert: More than 2 million IoT devices are now junk

01 May 2019

More than two million security cameras, baby monitors, and smart doorbells are affected by security vulnerabilities that could allow cybercriminals to hack devices and spy on homes, according to one security researcher called Paul Marrapese.

The bad news is that there’s very little anyone can do to fix the issue, besides buying new devices.

Some of the affected brands include Coolcam, Eye Sight, HiChip, HHVCAM, NEO Coolcam, Sricam, SV3C, VStarcam, and Wanscam. These devices use a component called iLinkP2P, which is also present in hundreds of other brands, so tracking down exactly what brands and devices are affected is a bit on the tricky side, says Marrapese.

“Also to note is that the number of affected devices is much higher than just two million, that is the number of devices visible outside of firewall, but this serial number brute forcing also allows to access cameras behind firewalls,” adds F-Secure Labs principal researcher Jarno Nimela.

The vulnerabilities lie in the iLnkP2P, developed by a company called Shenzhen Yunni Technology Company. iLnkP2P is a way for users to connect to their devices without involving any manual configuration. iLnkP2P uses a serial number called a UID to allow users connect instantly through phone or computer.

Unfortunately, CVE-2019-11219 details a vulnerability in iLnkP2P that allows attackers to find online devices and connect to them. CVE-2019-11220 is a vulnerability that allows attackers to steal the device’s password and take full control of it.

While device vendors were advised back in January it seems that they haven’t done anything to acknowledge the vulnerabilities, which is why Marrapese decided to make the vulnerabilities public.

Here’s how to tell if your devices are affected:

First, look for a serial number on your device called a UID. Typically, it will follow this letter-number-letter format: FFFF-123456-ABCDE

Devices with the following four letters are known to be vulnerable (keep in mind that many more vulnerable devices beyond the ones below also exist).

If your device is affected, Marrapese says outright that you should buy a new device from a vendor with a good reputation, because it’s unlikely that these affected devices will be patched. The same affected devices may also be plagued with other security threats.

“If disposing of the device is not possible, the P2P functionality may be effectively neutered by blocking outbound traffic to UDP port 32100. This will prevent devices from being accessed from external networks via P2P (though local access will still work),” concludes Marrapese.

Container survey shows adoption accelerating while security concerns remain top of mind
The report features insights from over 500 IT professionals.
Google 'will do better' after G Suite passwords exposed since 2005
Fourteen years is a long time for sensitive information like usernames and passwords to be sitting ducks, unencrypted and at risk of theft and corruption.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
One Identity named Leader in PAM and IAM by KuppingerCole
KuppingerCole lead analyst Anmol Singh evaluated the strengths and weaknesses of 20 solution providers in the PAM market for the report.
Healthcare environments difficult to secure - Forescout
The convergence of IT, Internet of Things (IoT) and operational technology (OT) makes it more difficult for the healthcare industry to manage a wide array of hard-to-control network security risks.