Security experts discovered two serious vulnerabilities in the iLnkP2P P2P system that ìs developed by Chinese firm Shenzhen Yunni Technology Company, Inc. The iLnkP2P system allows users to remotely connect to their IoT devices using a mobile phone or a PC. Potentially affected IoT devices include cameras and smart doorbells.
The iLnkP2P is widely adopted by devices marketed from several vendors, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.
The experts identified over 2 million vulnerable devices exposed online, 39% of them are located in China, 19% in Europe, and 7% in the United States. Roughly 50% of vulnerable devices is manufactured by Chinese company Hichip.
The first iLnkP2P flaw tracked as CVE-2019-11219 is an enumeration vulnerability that could be exploited by an attacker to discover devices exposed online. The second issue tracked as CVE-2019-11220 can be exploited by an attacker to intercept connections to vulnerable devices and conduct man-in-the-middle (MitM) attacks.
An attacker could chain the issues to steal password theft and possibly remotely compromise the devices, he only needs to know the IP address of the P2P server used by the device.
The researchers also built a proof-of-concept attack to demonstrate how to steal passwords from devices by abusing their built-in “heartbeat” feature, but they will not release it to prevent abuse.
The security expert attempted to report the flaws to the impacted vendors since January 2019, but he did not receive any response from them. The security expert reported the flaws to the CERT Coordination Center (CERT/CC) at the Carnegie Mellon University, the Chinese CERT was also informed of the discovery.
The bad news is that there is no patch to address both issues and experts believe they are unlikely to be released soon.
The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons according to researchers. Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.