Security & Fraud

P2P Security Issues Plague Millions Of IoT Devices

P2P Security Issues Plague IoT Devices

A P2P (peer-to-peer) technology ingrained in millions of IoT (Internet of Things) devices, including security cameras, smart doorbells, baby monitors and video recorders, has many security flaws that allow them to be compromised easily, exposing users to dangers from eavesdropping, credential theft and takeovers from remote locations.

KrebsOnSecurity reported the dangers are involved with iLnkP2P, a Chinese software from Shenzhen Yunni Technology. iLnkP2P, which is designed to allow device owners to easily access them from any location, is built into millions of IoT devices.

The tech is designed to access a firewall without altering it – a user will just download an app and either scan a barcode or enter a six-digit number on the device.

Paul Marrapese, a KrebsOnSecurity researcher, identified upwards of two million vulnerable devices all over the world, with 39 percent in China, 19 percent in Europe and 7 percent in the United States.

He also built a proof-of-concept attack that can compromise passwords from these devices using what is called a “heartbeat” feature, where the device sends a regular message to a preconfigured P2P server as if to say, “Here I am.”

“A P2P server will direct connection requests to the origin of the most recently received heartbeat message,” Marrapese said. “Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device.”

Also, many of these devices operate in their factory settings, which is a default password. Code in the firmware and software in these IoT devices can be old, rife with vulnerabilities and easily compromised.

Marrapese said there is not really a solution to the problem other than purchasing a vulnerable device.

“The nature of these vulnerabilities makes them extremely difficult to remediate for several reasons,” Marrapese wrote. “Software-based remediation is unlikely due to the infeasibility of changing device UIDs, which are permanently assigned during the manufacturing process. Furthermore, even if software patches were issued, the likelihood of most users updating their device firmware is low. Physical device recalls are unlikely as well because of considerable logistical challenges. Shenzhen Yunni Technology is an upstream vendor with inestimable sub-vendors due to the practice of white-labeling and reselling.”

Marrapese listed the affected security cameras here.

——————————

PYMNTS LIVE ROUNDTABLE: TUESDAY, JULY 14, 2020 AT 12:00 PM (ET)

Digital transformation has been forcefully accelerated, but how does that agility translate into the fight against COVID-era attacks and sophisticated identity threats? As millions embrace online everything, preserving digital trust now falls mostly on banks and FIs. Now, advances in identity data and using different weights on the payment mix afford new opportunities to arm organizations and their customers against cyberthreats. From the latest in machine learning for fraud and risk, to corporate treasury teams working in new ways with new datasets, learn from experts how digital identity, together with advances like real-time payments, combine to engender trust and enrich relationships.

TRENDING RIGHT NOW