Cyber forensics course specialists reported critical security vulnerabilities in iLnkP2P, a peer-to-peer (P2P) communications software component that, if exploited, would allow a hacker to access and take control of about 2 million of Internet of Things (IoT) devices.
This technology allows users to connect to
their devices at the time they get online; an attacker could abuse this feature
to exploit vulnerabilities on IoT devices, such as surveillance cameras, and
control them remotely.
Vulnerability in the iLnkP2P component could allow an attacker to perform various malicious activities, such as password theft, remote device compromising and espionage. According to cyber forensics course specialists, the compromised component is used in security cameras, webcams, baby monitors, among other IoT devices.
According to reports, the vulnerability has
already affected about 2 million of IoT devices distributed by multiple
companies. Experts add that it is difficult to establish which devices are
exposed to exploiting the vulnerability, as hundreds of distributors around the
world use the same iLnkP2P component; however, the serial number (UID) has been
linked to the vulnerable devices, cyber forensics course specialists mentioned.
A proof of concept identified the two million
vulnerable IoT devices, of which about 40% are found in Chinese territory, 19%
across Europe and the rest in the United States. A functional proof of concept for
password theft in vulnerable devices was also developed.
Vulnerabilities have been tracked as:
- CVE-2019-11219:
iLnkP2P Enumeration vulnerability allows attackers to quickly discover devices
online - CVE-2019-11220:
iLnkP2P Authentication vulnerability enables attackers to remotely intercept
connections and deploy Man-in-the-Middle
(MiTM) attacks
According to the specialists of the
International Institute of Cyber Security (IICS), researchers have tried to
contact the equivalent of CERT in China and the security teams of iLnk, as well
as some distributors, although none of the organizations has responded to
requests for information.
