This article is more than 1 year old
Peer-to-peer takes on a whole new meaning when used to spy on 3.7 million or more cameras, other IoT gear
In-depth dive into protocols exposing countless gadgets to miscreants
DEF CON More than 3.7 million. That's the latest number of surveillance cameras, baby monitors, doorbells with webcams, and other internet-connected devices found left open to hijackers via two insecure communications protocols globally, we're told.
This is up from estimates of a couple of million last year. The protocols are CS2 Network P2P, used by more than 50 million devices worldwide, and Shenzhen Yunni iLnkP2P, used by more than 3.6 million. The P2P stands for peer-to-peer. The devices' use of the protocols cannot be switched off.
The upshot is Internet-of-Things gadgets using vulnerable iLnkP2P implementations can be discovered and accessed by strangers, particularly if the default password has not been changed or is easily guessed. Thus miscreants can abuse the protocol to spy on poorly secured cameras and other equipment dotted all over the world (CVE-2019-11219). iLnkP2P connections can also be intercepted by eavesdroppers to snoop on live video streams, login details, and other data (CVE-2019-11220).
Meanwhile, CS2 Network P2P can fall to the same sort of snooping as iLnkP2P (CVE-2020-9525, CVE-2020-9526). iLnkP2P is, we're told, functionally identical to CS2 Network P2P though there are some differences.
The bugs were found by Paul Marrapese, who has a whole site, hacked.camera, dedicated to the vulnerabilities. "As of August 2020, over 3.7 million vulnerable devices have been found on the internet," reads the site, which lists affected devices and advice on what to do if you have any at-risk gear. (Summary: throw it away, or try firewalling it off.)
He went public with the CS2 Network P2P flaws this month after being told in February by the protocol's developers the weaknesses will be addressed in version 4.0. In 2019, he tried to report the iLnkP2P flaws to developers Shenzhen Yunni, received no response, and went public with those bugs in April that year.
At this year's DEF CON hacking conference, held online last week, Marrapese gave an in-depth dive into the insecure protocols, which you can watch below.
"When hordes of insecure things get put on the internet, you can bet the end result is not going to be pretty," Marrapese, a red-team member at an enterprise cloud biz, told his web audience. "A $40 purchase from Amazon is all you need to start hacking into devices."
The protocols use UDP port 32100, and are outlined here by Fabrizio Bertone, who reverse engineered them in 2017. Essentially, they're designed to let non-tech-savvy owners access their devices, wherever they are. The equipment contacts central servers to announce they're powered up, and they stay connected by sending heartbeat messages to the servers. These cloud-hosted servers thus know which IP addresses the gadgets are using, and stay in constant touch with the devices.
When a user wants to connect to their device, and starts an app to log into their gadget, the servers will tell the app how to connect to the camera, or whatever it may be, either via the local network or over the internet. If need be, the device and app will be instructed to use something called UDP hole punching to talk to each other through whatever NATs may be in their way, or via a relay if that doesn't work. This allows the device to be used remotely by the app without having to, say, change any firewall or NAT settings on their home router. The app and device find a way to talk to each other.
"In the context of IoT, P2P is a feature that lets people to connect to their device anywhere in the world without any special setup," Marrapese said. "You have to remember, some folks don't even know how to log into their routers, never mind forward a port."
In the case of iLnkP2P, it turned out it was easy to calculate the unique IDs of strangers' devices, and thus use the protocol to find and connect to them. The IDs are set at the factory and can't be changed. Marrapese was able to enumerate millions of gadgets, and use their IP addresses to approximate their physical location, showing equipment scattered primarily across Asia, the UK and Europe, and North America. Many accept the default password, and thus can be accessed by miscreants scanning the internet for vulnerable P2P-connected cameras and the like. According to Marrapese, thousands of new iLnkP2P-connected devices appear online every month.
Rogue ADT tech spied on hundreds of customers in their homes via CCTV – including me, says teen girlREAD MORE
Seeing as these devices run all their software as root on Linux, being able to find them and exploit a remote code execution bug would pretty much give you a pre-cooked botnet that just needed reheating. Marrapese was able to find such a flaw in the firmware in millions of devices built by Shenzhen Hichip Vision, which are rebadged by scores of other manufacturers, and are accessible via P2P protocols – they make up 81 per cent of the world's iLnkP2P-connected gear, for instance. The buffer-overflow flaw could be exploited to execute arbitrary code and gain total control of millions of gadgets, all reachable over the internet. Standard security protections were disabled. The hole was patched in June this year after being privately reported in January, though we imagine those updates haven't made their way to all installations just yet.
Also bear in mind these gadgets sit on people's Wi-Fi and LANs, so once you've commandeered a security camera, or whatever it may be, you can reach adjacent machines to exploit, or use nearby wireless network MAC addresses to pinpoint the exact location of the hardware from Google's databases, and so on.
Next, it probably won't surprise you to know that the connections between the apps and devices often aren't encrypted, so if you can eavesdrop on this traffic, you can see everything: login credentials, camera feeds, etc. Also, if you calculate a stranger's device unique ID, you can just send that to one of the central servers and masquerade as that gadget. When the user tries to log into their equipment, they'll connect to your machine, rather than their own hardware, and you can then grab the password and act as a miscreant-in-the-middle between the victim and their IoT widget, allowing to you spy on their video feed, and so on.
What's also interesting is that people's devices can be silently selected to become relays within the P2P network, transferring strangers' data between nodes in the peer-to-peer network. "These are called superdevices and this behavior is kept secret from users," says Marrapese. "Someone else's camera may well be proxying your own video feed."
These relay nodes can therefore snoop on information they're shuttling between devices and apps.
"Anyone on the planet can sniff your entire session and capture your password or your video without you ever knowing," he warned. "There's no need to expend a ton of effort setting up a man-in-the-middle attack when this exists by design."
See the above 30-minute video for the full story and technical details. The iLnkP2P flaws remain unfixed. ®