An analysis by a security researcher has shown multiple vulnerabilities existing in millions of IoT devices. According to researcher Paul Marrapese, the flaws were found in a software program called iLnkP2P which powers numerous IoT devices.
iLnkP2P is meant for users to remotely access their IoT devices all with the help of a mobile app. Devices with this software lacked authentication or any form of encryption.
The big picture
How can it be abused - The security researcher highlighted how the ‘heartbeat’ feature could be abused to retrieve passwords.
“Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device,” Marrapese told Krebs On Security.
While he has contacted iLnk, HiChip and other manufacturers of the affected devices, none of them offered a response and has yet to acknowledge the issue. More details on the vulnerability can be found here.