Millions of IoT devices affected by newly discovered P2P vulnerabilities
- The security holes found in a software component powering these devices, could have allowed attackers to perpetrate credential thefts, eavesdropping, and remote attacks.
- Vulnerable IoT devices included security cameras, webcams, baby monitors, smart doorbells, and digital video recorders.
An analysis by a security researcher has shown multiple vulnerabilities existing in millions of IoT devices. According to researcher Paul Marrapese, the flaws were found in a software program called iLnkP2P which powers numerous IoT devices.
iLnkP2P is meant for users to remotely access their IoT devices all with the help of a mobile app. Devices with this software lacked authentication or any form of encryption.
The big picture
- iLnkP2P-based IoT devices had no authentication or encryption allowing attackers to have a direct connection with these devices. HiChip, a Chinese IoT vendor accounted for half the vulnerable devices.
- Marrapese discovered that the devices could also be enumerated with their IDs provided attackers learned of the unique alphabetic prefixes brought out by the device manufacturers.
- He identified over two million devices across the world that contained P2P vulnerabilities.
- In addition, a proof-of-concept (PoC) attack created by Marrapese could steal passwords from these vulnerable devices by exploiting an in-built ‘heartbeat’ feature.
How can it be abused - The security researcher highlighted how the ‘heartbeat’ feature could be abused to retrieve passwords.
“Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device,” Marrapese told Krebs On Security.
While he has contacted iLnk, HiChip and other manufacturers of the affected devices, none of them offered a response and has yet to acknowledge the issue. More details on the vulnerability can be found here.