Security flaws found in millions of security cameras, other consumer electronics

Focus on IoT security

The biggest problem with IoT security comes from IoT device vendors, but the businesses and consumers that buy them are first to be damaged by security flaws.

A few months ago, Platte River Networks published some simple recommendations for network security in the IoT age and cautioned that IoT vulnerabilities should at least for the time being be assumed as real. Recently a software feature was found to essentially be an open door to the networks using it.

The Internet of Things (IoT) software feature is called iLnkP2P. Developed by Shenzhen Yunni Technology Company, iLnkP2P is built into millions of security cameras, webcams, baby monitors, smart doorbells and digital video recorders. It allows users of these devices to quickly and easily access them remotely, without having to manually pass through a firewall.

According to information gathered and publicized by security engineer Paul Marrapese, iLnkP2P is not properly encrypted to protect from attackers bypassing its firewall and establishing a connection almost as easily as the owner.

There were at least two million devices with this built-in vulnerability scattered throughout the globe in 2019, including those distributed by HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, HVCAM and hundreds of other brands.

iLnkP2P Network Vulnerabilities Allow Two Different Hacks

Marrapese diagnosed two vulnerabilities in iLnkP2P.

One, CVE-2019-11219, allows attackers to easily discover vulnerable devices online and establish direct connections to them using Network Address Translation.

The other, CVE-2019-11220, allows attackers to carry out man-in-the-middle attacks, in which they intercept connections to devices. They can then use the hijacked connection to acquire passwords and ultimately gain unauthorized access: a relatively common tool from the hacker’s belt.

Most of the devices that use iLnkP2P lack secure encryption, but even so-called encrypted devices are easy targets. Some vendors have even lied about using encryption. Whether due to malicious intent or lack of oversight, the end result for businesses is the same: A security breach waiting to happen.

Check your devices

To check whether or not your device is vulnerable to these security flaws, compare the device’s Unique Identity Number (UID) to this list.

The special serial number is typically printed on a device’s label and the 91 UID’s listed are known to use iLnkP2P. Other devices not listed may also be using the software.

Safeguarding the Business of Things

Unfortunately for owners of these devices, options appear to be limited when considering how to protect against security flaws.

One measure is to block the software’s UPD port, 321000. This prevents remote access to the device from external networks while maintaining local access.

Otherwise, replace the vulnerable device with one from a reputable vendor.

And therein lies the overwhelming problem with many IoT devices in general: The drive to make them cheap and easy to use has frequently overshadowed manufacturers’ desires to protect consumers from cybercriminals.

Your business can limit its exposure by emphasizing security during vendor selection, but we also recommend more.

Ways to Improve IoT Security on Your Devices

1. Adopt a risk-driven approach

Take the time to comprehend the risks each device presents and then apply security controls appropriate to the level of risk involved.

2. Set standards; stick to them

No matter the complexity of the device, ensure each one meets the security requirements set by your business.

3. Consider software, application vulnerabilities

While a device itself may be secure, be sure to vet the software, applications and any other features used with the device for security flaws.

4. Place devices on an isolated network

Any IoT or Smart Home devices can be firewalled by placing them on your local router or even a dedicated router.

A dedicated router is more secure, for it allows you to use a virtual private network (VPN) connection and enhance encryption without slowing down your overall network.

5. Adapt to new threats, update firmware

Don’t fall victim to complacency. Cybercriminals are constantly evolving and looking for weaknesses in seemingly secure devices. A simple safeguard that is all too frequently slacked on is updating firmware as it becomes available.

6. Plan for the worst: Disaster recovery

Know what to do if a device is compromised. A disaster recovery plan can make all the difference when sensitive data is concerned.

7. Automate security wherever possible

Automatic data monitoring, threat identification, threat quarantine and other security is the first and strongest line of defense a modern-day IoT network can have. As connectivity increases, so must automation.

Questions about IoT security?

Call Platte River Networks for a free consultation.