Millions of IoT devices exposed by security flaws in integrated P2P communications software

Embedded iLnkP2P software is supposed to make it easier for users to connect to their IoT devices- but also makes it easy for attackers

Security flaws in peer-to-peer software built into millions of Internet of Things (IoT) devices has exposed millions of home security camera systems and other connected devices to attack.

The iLnkP2P software, developed by China's Shenzhen Yunni Technology, is integrated into millions of security cameras, digital video recorders, supposedly smart devices and other IoT systems.

However, according to security journalist Brian Krebs, the software contains critical security flaws and can expose the owners of the devices to credential theft, eavesdropping and remote compromise.

The software is supposed to enable users to tap into the devices from anywhere in the world without having to punch a hole through their broadband router's firewall. Instead, users can connect with the devices via their smartphone by scanning a QR code or tapping in a six-digit identification code on the bottom of the device.

But Krebs claims that the iLnkP2P software doesn't offer any authentication process and that communications aren't even encrypted. Hence, all an attacker needs to do to view a live stream of, say, a home security camera is to tap a six-figure code into the software.

Krebs claims that the software has been analysed by security researcher Paul Marrapese. He claims that there are around six million potential variations in the six-digit coding system adopted by the company - with around two million instances of the software currently in use.

When connected to a network, the iLnkP2P software will send out a regular ‘heartbeat' message to make it easy for users to connect their smartphones to their home security devices - and for attackers to sniff-out device passwords, if users have changed the default credentials.

"A P2P server will direct connection requests to the origin of the most recently-received heartbeat message," Marrapese told Krebs.

He continued: "Simply by knowing a valid device UID, it is possible for an attacker to issue fraudulent heartbeat messages that will supersede any issued by the genuine device. Upon connecting, most clients will immediately attempt to authenticate as an administrative user in plaintext, allowing an attacker to obtain the credentials to the device."

Neither the software nor the wireless connectivity of the devices can be turned off, and even if the company produced a security patch it is unlikely that many of the devices would be updated, warned Marrapese.

Worst of all, perhaps: Marrapese claims that neither the manufacturers in China, nor China's Computer Emergency Response Team (CERT) have responded to his security reports.

The website of the developer of the software, meanwhile, would not only appear to be non-functional, but an analysis of the source code reveals that it has been compromised and is redirecting visitors to a Chinese gaming site.

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.