Millions of IoT devices impacted by new P2P vulnerabilities
By Max BurkhalterMay 10, 2019
One of the foundational capabilities of modern internet of things devices is the ability to transmit data packages between endpoints, often facilitated through peer-to-peer infrastructures. P2P computing uses a distributed architecture that allows individual pieces of hardware to share resources with other devices in its network. This enables computers and wireless devices to work collaboratively to perform essential tasks through partitioned workloads, per Digital Citizen. Each "peer" possess equal privileges and can make a portion of its resources available to its interconnected counterparts, including processing power, network bandwidth and disk storage. Nearly all P2P frameworks do not require a central servers or stable hosts to coordinate activities, as each peer can relocate its resources automatically.
Unlike traditional client-server models - where consumption and supply of resources are divided by a governing administrator- P2P systems empower every endpoint to act as a client and server at the same time. This not only streamlines the resource management process, but it also allows the system to engage in complex tasks that would be impossible for individual peers. The most common use case for P2P networks is sharing files across the internet, as each endpoint can send and receive data simultaneously. Some of the core characteristics that make this type of system useful for commercial applications include:
- Stability: P2P networks' decentralized infrastructure makes them incredibly resilient to hardware failures and cyber attacks. If a single peer goes offline, the other devices in the system will readjust and continue communicating efficiently.
- Scalability: Expanding a P2P network is remarkably simple, as adding a new peer does not require IT administrators to update a central server's configuration. This can significantly reduce downtime during new deployments and streamline the installation process.
- Speed: The ability to store the same file on several distinct peers allows users to quickly access data from any node in a P2P system. As a rule of thumb, the larger the network, the faster they perform.
Enterprise environments can also expect a cost reduction after equipping their IT infrastructure with P2P capabilities, as doing so eliminates the need to create or reconfigure servers when a new device is connected. Large-scale networks, in particular, can be expensive and difficult to manage, especially if content creators use their own bandwidth to distribute files across their organization. That said, P2P systems are far from perfect, as illustrated by a recent wave of device vulnerabilities that threaten the security and privacy of both commercial and consumer users.
Major security flaws discovered in iLnkP2P protocols
In April, IT security researcher Paul Marrapese released a detailed analysis of iLnkP2P, a peer-to-peer communication technology installed in millions of devices around the world. Marrapese discovered a series of severe security flaws back in January 2019, but decided to publish his findings online after receiving no response from China-based Shenzhen Yunni Technology, the development company behind the vulnerable P2P software. Thus far, a total of 2 million unsecured consumer, small business and enterprise devices have been identified, though it's difficult to pin down an exact number due to the wide use of iLnkP2P by foreign-based manufacturers, vendors and distributors. Some of the companies heavily impacted by the announcement include:
- HiChIp
- Wanscam
- Sricam
- Eye Sight
- SV3C
The affected P2P features enable users to access their devices remotely, without the need for any manual configuration. Owners can connect their phones or computers to their IoT devices by entering a special serial number into a mobile app, bypassing NAT and firewall restrictions. The security vulnerabilities allow hackers to access a variety of popular devices, including digital video recorders, security cameras, baby monitors and more. Once infiltrated, the affected hardware can be used to eavesdrop on the surrounding environment, exposing users to the risk of identity and credential theft, Krebs on Security reported. After probing the iLnkP2P software, Marrapese found two specific flaws:
- CVE-2019-11219: This enumeration vulnerability allows hackers to quickly discover any IoT devices that are online, whether or not they have the UID number. After a target has been identified, cybercriminals can directly connect to the device from anywhere in the world.
- CVE-2019-11220: This authentication flaw permits attackers to intercept any connections that are sent or received, making man-in-the-middle attacks simple to coordinate. Hackers can also use this flaw to steal a device's login credentials and take manually control of its operations.
Marrapese has issued a number of advisories to iLnkP2P's developer and vendors who sell vulnerable IoT products, but he has not received any formal reply. Without the direct cooperation of the P2P software's developer, it's unlikely that any long-term solutions will be released to the general public. This incident demonstrates that wireless IoT technologies have a lot of room to improve. Large commercial organizations must be cautious about implementing new hardware solutions without first assessing the potential threats.
Perle offers industry-grade connectivity tools that can help companies secure their mission critical operations. Read some of our customer stories to find out how we've helped other companies improve their infrastructure and protect their data stores.