Critical vulnerabilities compromise millions of IoT devices

Cyber forensics course specialists reported critical security vulnerabilities in iLnkP2P, a peer-to-peer (P2P) communications software component that, if exploited, would allow a hacker to access and take control of about 2 million of Internet of Things (IoT) devices.

This technology allows users to connect to their devices at the time they get online; an attacker could abuse this feature to exploit vulnerabilities on IoT devices, such as surveillance cameras, and control them remotely.

Vulnerability in the iLnkP2P component could allow an attacker to perform various malicious activities, such as password theft, remote device compromising and espionage. According to cyber forensics course specialists, the compromised component is used in security cameras, webcams, baby monitors, among other IoT devices.

According to reports, the vulnerability has already affected about 2 million of IoT devices distributed by multiple companies. Experts add that it is difficult to establish which devices are exposed to exploiting the vulnerability, as hundreds of distributors around the world use the same iLnkP2P component; however, the serial number (UID) has been linked to the vulnerable devices, cyber forensics course specialists mentioned.

A proof of concept identified the two million vulnerable IoT devices, of which about 40% are found in Chinese territory, 19% across Europe and the rest in the United States. A functional proof of concept for password theft in vulnerable devices was also developed.

Vulnerabilities have been tracked as:

  • CVE-2019-11219: iLnkP2P Enumeration vulnerability allows attackers to quickly discover devices online
  • CVE-2019-11220: iLnkP2P Authentication vulnerability enables attackers to remotely intercept connections and deploy Man-in-the-Middle (MiTM) attacks

According to the specialists of the International Institute of Cyber Security (IICS), researchers have tried to contact the equivalent of CERT in China and the security teams of iLnk, as well as some distributors, although none of the organizations has responded to requests for information.