A security engineer from the Bay Area, California, Paul Marrapese, has recently announced that a security flaw in an Internet of Things (IoT) software exposes millions of consumer devices from hackers.
Paul, Marrapese, an OSCP-certified security researcher recently discovered that iLnkP2P, a peer-to-peer (P2P) solutions render users of various devices vulnerable to remote discovery and hijack. The software was developed by a company called Shenzen Yunni Technology Company, Inc.
Affected devices using iLnkP2P include baby monitors, security webcams and smart doorbells. These devices use P2P features that let users connect to their devices when they go online. This is also the time when hackers exploit the flaws of these devices to find those which can be attacked. Once successful, hackers will be able to access the devices without the owners knowing about it.
Marrapese did not elaborate on the iLnkP2P flaw but he identified as CVE-2019-11220. This flaw allows man-in-the-middle attacks that lets attackers steal device passwords and eventually take-over the device.
Another flaw, CVE-2019-11219 lets attackers find out which smart devices are vulnerable. Once these devices are identified attackers can reach out and exploit them despite being under a Network Address Translation (NAT) firewall. Additionally, these devices are not using encryption, making them an easier target for attacks.
Marrapese also said that at least two million devices are using iLnKP2P and are affected by the security flaw. These include devices manufactured by companies such as HiChip, TENVIS, VStarcam, Wanscam, NEO Coolcam, SriCam, EyeSight among other devices.
Unfortunately for those who own these devices, there seem to be many solutions to the security flaw. The quickest known fix is to manually block the software’s UDP port, 32100. This blocks remote traffic and yet allow users to access their devices locally.
The best solution suggested by Marrapese is for users to buy a new device instead. And in doing so, it would be wise and practical to buy the device from a reputable vendor. While there are many cheap consumer devices available in the market right now, sometimes, a few more dollars on the price tag won’t hurt especially if it means additional reliability to the device that you are buying.