P2P Flaws Expose Millions of IoT Devices to Remote Attacks

Vulnerabilities discovered by a researcher in a peer-to-peer (P2P) system named iLnkP2P expose millions of cameras and other Internet of Things (IoT) devices to remote attacks from the Internet, and no patches are available. Paul Marrapese, a California-based security engineer, discovered two serious flaws in iLnkP2P, a system developed by Chinese firm Shenzhen Yunni Technology Company, Inc. iLnkP2P is a P2P solution that makes it easier for users to connect to their IoT devices from their phone or computer. According to the expert, iLnkP2P is present in devices marketed under hundreds of brands, including Hichip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM. Affected products include cameras, baby monitors and smart doorbells. Marrapese has conducted an Internet scan and identified over 2 million vulnerable devices. The researcher has identified two iLnkP2P vulnerabilities. One of them, tracked as CVE-2019-11219, is an enumeration issue that allows an attacker to quickly discover devices exposed to the Internet. The second flaw, CVE-2019-11220, can be exploited to intercept connections to affected devices and conduct man-in-the-middle (MitM) attacks. This allows a malicious actor to obtain a device’s password and hijack it.