P2P Weakness Exposes Millions of IoT Devices

My ecobee thermostat stays on the guest WiFi network.

EugW wrote: ↑ My ecobee thermostat stays on the guest WiFi network.

But do you really think that helps? If you have AP isolation enabled on your guest network, the IoT device can't see other devices on your network, but it can still talk to the internet, download malware, run malware from your home etc.

I think most people realize that IoT devices have this vulnerability, so we should expect a stream of warnings like this where specific vulnerabilities are discovered in the poorly-tested and not very secure firmware.

Exp315 wrote: ↑ I think most people realize that IoT devices have this vulnerability, so we should expect a stream of warnings like this where specific vulnerabilities are discovered in the poorly-tested and not very secure firmware.

But so everyone is warned? the article clearly mentions fixing your investment is "infeasible"

I remember back in the krack problem how vulnerable and inflexibile nor desire to update do to cost could remedy any fixes for most cheap devices.It just open the door for new products and more money to be made. Cheap bad unknown china brands disappear new names show up again. The viscious cycle continues.

The irony. The very cheap products that found opensource solutions grew more expensive when it became popular but nothing at the manufacturer level warranted these price increases.

the recommendation is do not use any Iot devices that advertise or use P2p tech. A potential remedy was "Marrapese said it should be possible to block vulnerable devices from communicating with any P2P servers by setting up firewall rules that block traffic destined for UDP port 32100."

seems to me another cloud based external server dependent security flaw. Chosing a path where you're the app controller or cloud for your own devices seems the only route.Atleast your chances of fixing/securing your investment improve. This push for reliance in off site support these days seems entirely focused on finding new avenues to basically collect data.

the other articles mention that most security flaws happened because support wants simple access=lazy.

Exp315 wrote: ↑ But do you really think that helps? If you have AP isolation enabled on your guest network, the IoT device can't see other devices on your network, but it can still talk to the internet, download malware, run malware from your home etc.

I think most people realize that IoT devices have this vulnerability, so we should expect a stream of warnings like this where specific vulnerabilities are discovered in the poorly-tested and not very secure firmware.

Yes that helps. My thermostat doesn’t need to speak to the rest of the network, and if it were to get hacked, all the hacker could do is control my thermostat, or as you say, run (very limited) malware. Not very interesting for a hacker.

EugW wrote: ↑ Yes that helps. My thermostat doesn’t need to speak to the rest of the network, and if it were to get hacked, all the hacker could do is control my thermostat, or as you say, run (very limited) malware. Not very interesting for a hacker.

Relay for child porn, police at your doorstep - might be interesting for you!

Exp315 wrote: ↑ Relay for child porn, police at your doorstep - might be interesting for you!

The question I have (as an average Joe Blow) is how do I protect myself?

Btw Exp315 have you heard of or used OpenVPN? On another forum they recommend that is the way to protect hackers from accessing security cams.

Exp315 wrote: ↑ Relay for child porn, police at your doorstep - might be interesting for you!

I'd like to see a link to even just a proof of concept of this being demonstrated on a thermostat. This isn't a NAS or a thin client or something like that after all. Furthermore, a flaw in iLnkP2P doesn't mean all IoT devices have the same flaw. In fact, most IoT devices don't even run iLnkP2P.

The closest thing I've seen reported is a Nest thermostat being hacked to allow hacking access to the rest of the network, but there are two major caveats here:

1) The hack requires physical access to the device.
2) If the device is on a guest network, then the only devices the hacked Nest has access to are other devices on the guest network.

starlamp wrote: ↑ The question I have (as an average Joe Blow) is how do I protect myself?

Btw Exp315 have you heard of or used OpenVPN? On another forum they recommend that is the way to protect hackers from accessing security cams.

There is no easy way for you to protect yourself from security vulnerabilities in IoT gear - that's the whole problem. Many of them require internet access to work, and you have no way to look inside the firmware to know what they're doing. They might have security weaknesses that an outsider could exploit. They might have deliberate back doors left by the firmware developer. Most are running some version of Linux internally, making them easy for a hacker to exploit.

Possible security measures:
1. Buy well known and widely-used brand names rather than cheap gear from an unknown company. The widely-used brands are more likely to have had security reviews in product development, and more likely to have received some scrutiny from expert users checking their network traffic etc.
2. Check your network traffic yourself with an app like Wireshark. It can be hard to tell what's going on, as a lot of these IoT devices "phone home" more often than you would think, and the purpose and content of their communication can be obscure. But at least you might recognize unexpected heavy traffic or traffic types that shouldn't be there (p2p, email relay etc.).
3. Put your IoT devices on a separate network with AP isolation so that devices can't see each other and have no access to your main home network. Unfortunately that means that local control solutions like Home Assistant or SmartThings won't work with the WiFi devices on that network.
4. Unplug devices that aren't in use at the moment, like cameras or servers. Can't exploit what's offline.

OpenVPN is just a widely-used open VPN protocol. Most of the major VPN providers offer it as an option, and you can get free open-source client and server OpenVPN software. Many people prefer it because it's a known quantity, more trustworthy than the client software provided by others even though it may not be the most efficient protocol. You can even install an OpenVPN server in your router if you run aftermarket firmware like DD-WRT, which allows you to connect remote using VPN encryption. That makes remote access to your network more secure, but I'm not sure how that helps with your camera security.

Thanks Exp315

starlamp wrote: ↑ https://krebsonsecurity.com/2019/04/p2p ... t-devices/

peer-to-peer (P2P) communications technology built into millions of security cameras and other consumer electronics includes several critical security flaws that expose the devices to eavesdropping, credential theft and remote compromise, new research has found.

A map showing the distribution of some 2 million iLinkP2P-enabled devices that are vulnerable to eavesdropping, password theft and possibly remote compromise, according to new research.

The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.

iLnkP2P is designed to allow users of these devices to quickly and easily access them remotely from anywhere in the world, without having to tinker with one’s firewall: Users simply download a mobile app, scan a barcode or enter the six-digit ID stamped onto the bottom of the device, and the P2P software handles the rest.

But according to an in-depth analysis shared with KrebsOnSecurity by security researcher Paul Marrapese, iLnkP2P devices offer no authentication or encryption and can be easily enumerated, allowing potential attackers to establish a direct connection to these devices while bypassing any firewall restrictions.

Marrapese said a proof-of-concept script he built identified more than two million vulnerable devices around the globe (see map above). He found that 39 percent of the vulnerable IoT things were in China; another 19 percent are located in Europe; seven percent of them are in use in the United States.

Krebs is a well-known security research company, but there are some things which do not pass my smell test, only because of some items I will describe below. I don't think they may have said anything false though.
1) How were the vulnerable devices counted? The explanation of a script does not tell us how it works. I just don't see how to count the devices. Once a P2P session is online, unless he knows how to crack this particular P2P protocol, he cannot understand the traffic within. Also, all P2P sessions will not be 'up' at the same time, so he would have had to have the script running for an extended time. Perhaps he has access to nodes on the internet backbone where all traffic must pass through.
2) Working out percentages across the world means he can count both the vulnerable and non-vulnerable devices. Really? The non-vulerable devices mean they cannot set up the P2P sessions, i.e. there is no internet traffic to analyze. (it is possible that if others left the port open, he can assume at least one device, but if I have my router completely sealed, how would he know how many devices are at my home?
3) All traffic must go through your router, for which the firewall (hopefully) is set to active. Only IP traffic originating from within your network is allowed to exit, so the IoT device is calling 'home' constantly (just like, eg. your anti-virus software, browser...) If IP traffic originating from outside your network is allowed, then there is an open port on the router. That is devastating, but people who insist on the 'cool benefit' of remotely playing with their IoT devices have brought this upon themselves. Routers have an option to disable all IPV6 traffic, I don't know why this is not mentioned as a mitigating action. The UDP special port may allow the IPV6 attempt, but I don't know if the IPV6 block will take care of the open port. The safest action here would be to block the specific port from inbound and outbound traffic.
4) Currently, routers as far as I know cannot even identify IPV6 devices, so the only IPV6 control is to reject all IPV6 packets. Interestingly, Microsoft uses IPV6 for some of its internal protocols. I have disabled IPV6 on my router and have not had any adverse effects.
Other....I think VPN was mentioned in a previous post. VPN has nothing to do with this, and does not protect one's network which is a common misunderstanding. A VPN configuration on your machine sets up a tunnel-connection to your VPN carrier. Subsequent IP traffic, while the VPN is up, allows one to visit web sites with a different IP address. That's it. It does not prevent 'regular' hacking to your router and open ports. Don't believe a VPN makes your network secure. One note: if your VPN carrier maintains logs, and law enforcement asks the VPN carrier, they are obligated to turn those logs over. So, choose even VPN carrier carefully. It is somewhat sadly funny that people when asking for VPN carrier advice, there is NO mention of security, just how fast is it, and price.

I hope my comments have made things a little less nebulous.
Good Luck.

EugW wrote: ↑ I'd like to see a link to even just a proof of concept of this being demonstrated on a thermostat. This isn't a NAS or a thin client or something like that after all. Furthermore, a flaw in iLnkP2P doesn't mean all IoT devices have the same flaw. In fact, most IoT devices don't even run iLnkP2P.

The closest thing I've seen reported is a Nest thermostat being hacked to allow hacking access to the rest of the network, but there are two major caveats here:

1) The hack requires physical access to the device.
2) If the device is on a guest network, then the only devices the hacked Nest has access to are other devices on the guest network.

Hmmm...
1) I don't think so..because of 2)
2) Currently, guest network isolation from an internal network is IPV4 configurable. IoT uses IPV6, which means it cannot be restricted by IPV4 rules. So IPV6 is on its own network. For IPV4 traffic to be compromised, the IPV6 malware would have some pretty sophisticated sniffer built in. Remember over wi-fi, every device sees everything, so access available to hacker.

Corndogs wrote: ↑ Hmmm...
1) I don't think so..because of 2)
2) Currently, guest network isolation from an internal network is IPV4 configurable. IoT uses IPV6, which means it cannot be restricted by IPV4 rules. So IPV6 is on its own network. For IPV4 traffic to be compromised, the IPV6 malware would have some pretty sophisticated sniffer built in. Remember over wi-fi, every device sees everything, so access available to hacker.

The specific proof-of-concept I am talking about is regarding a Nest thermostat and yes it requires physical access to the device. It requires direct access to the USB port to load malware on the device. Once the device is compromised in this manner, then the hacker can remotely control it and use it as a beachhead within your local network to attack other devices on that local network.

However, since no outside remote hacker will have physical access to the Nest thermostat in your home, this specific proof-of-concept hack is irrelevant to 99.99999% of people out there.

BTW, why do you say IoT uses IPv6? Cuz while most may, IoT certainly doesn't have to. Nest thermostats work just fine without IPv6.

Batterylife is the primary challenge for IOT devices, security is not on the priority list usually. In an energy limited situation you do not have the electrons available to implement rigorous security which either takes up CPU time or is hardware based, both of which eat up energy.

toalan wrote: ↑ Batterylife is the primary challenge for IOT devices, security is not on the priority list usually. In an energy limited situation you do not have the electrons available to implement rigorous security which either takes up CPU time or is hardware based, both of which eat up energy.

I see where you're coming from, but battery life is not an issue for most properly designed and installed IoT devices. For example, Nest thermostats really should have a proper power source, and shouldn't be improperly using the power stealing method they allow with setups without C wires. I say "improperly" because they're too unreliable running this way. It's not uncommon for Nest thermostats to cause problems in this half-@ssed wiring method.

IOW, in a lot situations, battery life is an issue only because we have half-@ssed installs, like in the case of the Nest thermostat, running mainly on battery and stealing power at other times hoping that it will be enough to charge it and hoping it won't screw up the equipment it's supposed to be controlling.

https://www.businessinsider.com/nest-th ... lem-2014-1
https://thesmartcave.com/thermostat-c-wire-common/

One should note that companies like Ecobee refuse to run thermostats this way.

https://www.ecobee.com/2014/01/the-prob ... -stealing/

sandeep8g wrote: ↑ https://www.cbc.ca/marketplace/episodes ... ty-devices

Basically, one can summarize that episode by saying you should not run your devices with no password, or run your devices with just the factory default password.

The problem is that WiFi IoT devices are fundamentally insecure if they need to communicate with the internet for any portion of their services. If you could set them up, then transfer them to local control and block their internet access, that would improve security - but that's difficult to do with most consumer routers, and most people wouldn't know how. If the device routinely sends and receives internet messages, and the firmware comes from some unknown manufacturer in China, you really have no idea what kind of exploitable security holes or malware might be lurking in there.

If you isolate it from your own local network and put it on a VLAN or guest network with ap isolation, then at least it is blocked from seeing or accessing anything else on your main network. But it can still use your home as a node in a malware network.

Zigbee and Z-wave devices are fundamentally more secure because they do not have direct internet access. Everything goes through a hub, and while the hub may have internet access, most people would be using one of the popular hubs like SmartThings that has a reputable manufacturer with some responsibility for firmware security, and a large user base to verify that.

Once people start discussing the obvious security holes and some are discussed here. You start to see as you move towards a secure Iot environment It becomes incompatible with affordability or ease of use nor simplicity of setup.

Which is exactly what all the articles mostly highlight as the the big security flaws. But in this particular article of iLinkP2P Iot devices. They are capable of becoming a physical trojan horse with ease by any hacker.

I hope it brings attention to how it probably won't be fixed! How many can't be reimbursed? How stores who sold some of this stuff can't recoup either? That's another elephant in the same room cause by this problem!

lead wrote: ↑ Once people start discussing the obvious security holes and some are discussed here. You start to see as you move towards a secure Iot environment It becomes incompatible with affordability or ease of use nor simplicity of setup.

Which is exactly what all the articles mostly highlight as the the big security flaws. But in this particular article of iLinkP2P Iot devices. They are capable of becoming a physical trojan horse with ease by any hacker.

I hope it brings attention to how it probably won't be fixed! How many can't be reimbursed? How stores who sold some of this stuff can't recoup either? That's another elephant in the same room cause by this problem!

Most average consumers have no clue or understanding. This is what protects the companies, IMO.

Exp315 wrote: ↑ The problem is that WiFi IoT devices are fundamentally insecure if they need to communicate with the internet for any portion of their services. If you could set them up, then transfer them to local control and block their internet access, that would improve security - but that's difficult to do with most consumer routers, and most people wouldn't know how. If the device routinely sends and receives internet messages, and the firmware comes from some unknown manufacturer in China, you really have no idea what kind of exploitable security holes or malware might be lurking in there.

If you isolate it from your own local network and put it on a VLAN or guest network with ap isolation, then at least it is blocked from seeing or accessing anything else on your main network. But it can still use your home as a node in a malware network.

Zigbee and Z-wave devices are fundamentally more secure because they do not have direct internet access. Everything goes through a hub, and while the hub may have internet access, most people would be using one of the popular hubs like SmartThings that has a reputable manufacturer with some responsibility for firmware security, and a large user base to verify that.

The Asus routers often enable you to block internet access for clients.