Saturday, September 7, 2024
HomeIoTCritical Flaw in P2P Software Let Hackers to Hijack 2 Million IoT...

Critical Flaw in P2P Software Let Hackers to Hijack 2 Million IoT Devices Remotely & Spy Their Owners

Published on

A serious security flaw uncovered in iLnkP2P, a peer-to-peer (P2P) communications software component lets hackers hijack and gain access to nearly 2 million IoT Devices and control them remotely.

Peer-to-peer communication technology helps users to connect to their devices at the moment they come online which allows attackers to exploit the IoT devices such as security camera and control it remotely.

A peer-to-peer software component iLnkP2P developed by Shenzhen Yunni Technology, a Chinese based company and this component deployed in millions of Internet of Things (IoT) devices.

- Advertisement - EHA

iLnkP2P bundled in security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders and the security flaw allows attackers to eavesdrop, password theft, and possibly remote compromise.

Paul Marrapese, a researcher who discovered the flaw said that the vulnerability affected the 2 million IoT devices around the world those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

According to the Researcher, Affected devices use a component called iLnkP2P. Unfortunately, iLnkP2P is used by hundreds of other brands as well, making identification of vulnerable devices difficult.

Learn : Mastering the Security of the Internet of Things Course

Discovering the Vulnerable IoT Devices

There are specific serial number known as a UID that looks like (FFFF-123456-ABCDE )can be used to identify this vulnerable device.

The researcher said that each ID begins with a unique alphabetic prefix that identifies which manufacturer produced the device, in this case, many of the companies that white-label the iLnkP2P software.

IOT Devices

Following Prefix contain devices are vulnerable that while labeled in millions of IoT devices but it’s not limited.

AIDAJTAVABSIPCAM
CPTCAMCTWDFTDFZDYNE
EEEEELSAESNESSEST
FFFFGCMNGGGGGKWHDT
HHHHHRXJHVCHWAAHZD
HZDAHZDBHZDCHZDNHZDX
HZDYHZDZIIIIIPCISRP
JWEVKSCMCIMCIHDMDI
MDIHDMEGMEYEMGAMGW
MICMICHDMMMMMSEMSEHD
MSIMSIHDMTEMTEHDMUI
MUIHDNIPNIPHDNPCNTP
OBJOPCSOPMSPARPARC
PCSPHPPIOPIPCAMPIX
PNPPSDPTPQHSVROSS
SIDSIPSXHTIOTSD
UIDVIOVSTDVSTFWBT
WBTHDWNSWNSCWXHWXO
XDBLXTSTZESZLDZSKJ
ZZZZ

HiChip — a Chinese IoT vendor alone manufactured devices for nearly half of the vulnerable devices that uses the prefixes FFFF, GGGG, HHHH, IIII, MMMM, ZZZZ.

Marrapese said to Kerbs, “a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States.”

He also developed a proof-of-concept that allows stealing the passwords from devices by abusing their built-in “heartbeat” feature.

A Heartbeat future that built-in with the iLnkP2P sends to “yes I’m here” to their preconfigured P2P servers regularly and waiting for the response and further instructions.

He attempts to notify China’s CERT, iLnk and a half dozen major vendors whose products make up the bulk of the affected devices, none of them have responded to his reports

These are two CVE that we need to point out here ,

  • CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that allows attackers to rapidly discover devices that are online.
  • CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that allows attackers to intercept connections to devices and perform man-in-the-middle attacks and control the device remotely.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity courses online to keep your self-updated.

Also Read:

Hackers Offered IoT Botnet as Service “TheMoon” : Botnet-as-a-Service

Beware – Dangerous IoT Attacks Leads Some One to Hack and Control Your Car

Chalubo Botnet Compromise Your Server or IoT Device & Use it for DDOS Attack

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

BBTok Abuses Legitimate Windows Utility Command Tool to Stay Undetected

Cybercriminals in Latin America have increased their use of phishing scams targeting business transactions...

Predator Spyware Exploiting “one-click” & “zero-click” Flaws

Recent research indicates that the Predator spyware, once thought to be inactive due to...

Tropic Trooper Attacks Government Organizations to Steal Sensitive Data

Tropic Trooper (aka KeyBoy, Pirate Panda, and APT23) is a sophisticated cyberespionage APT group,...

NoiseAttack is a Novel Backdoor That Uses Power Spectral Density For Evasion

NoiseAttack is a new method of secretly attacking deep learning models. It uses triggers...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...

Europe’s Most Wanted Teenage Hacker Arrested

Julius “Zeekill” Kivimäki, once Europe's most wanted teenage hacker, has been arrested.Kivimäki, known for his involvement with the notorious Lizard Squad,...

A guide To IoT Security – Protect Your Connected Devices

Living in the digital era, accompanied by technological devices that have become a part...