A security researcher found that a couple of P2P protocols used by millions of IoT devices around the world have quite a few vulnerabilities that would allow attackers to intercept traffic, spy on video streams and more.
One way that IoT devices communicate with their servers and with their users is through peer-to-peer protocols. While it might sound safe, it’s not, as security researcher Paul Marrapese found out. It turns out that both iLnkP2P and CS2 Network P2P have multiple vulnerabilities. What’s worse is that the companies are in no hurry to fix them.
Hackers can exploit around 3 million cameras, baby monitors, and doorbells through poorly implemented and developed P2P protocols. The researcher investigated numerous devices for two years and found that Shenzhen Yunni iLnkP2P, used in 3.6 million devices, and CS2 Network P2P, in over 50 million devices, would allow man-in-the-middle attacks, expose device credentials and sensitive information such as video/audio streams and more.
“Affected devices use ‘peer-to-peer’ features (also known as ‘P2P’) that allow users to connect to their devices the moment they come online. Hackers are able to exploit flaws in these features to rapidly find vulnerable cameras, then launch attacks to access them,” said the researcher.
“Other flaws make it possible for anyone to intercept connections to cameras, then covertly monitor video feeds and steal device passwords – all without the owner ever knowing. As of August 2020, over 3.7 million vulnerable devices have been found on the Internet,” he continued.
Vulnerabilities are found regularly in protocols and devices, but the true problems arise when companies ignore the people who identify them. Marrapese notified the developers last year and tried for more than a year to get their attention.
Unfortunately, the companies ignored him, so he published the investigation and vulnerabilities during DEF CON 2020. This only means that there are now millions of exposed devices that are going to be targeted by hackers using the published research.