Paul Marrapese, a security engineer, announced that those using iLnkP2P (peer-to-peer) with their IoT devices face serious cyber threats. The iLnkP2P is used by machine builders and enables users to connect to IoT devices on their mobile phones or computers using a specific serial number, known as an UID.
Thus, there’s no need for port forwarding or dynamic Domain Name System (DNS) to connect, and Networking Address Translation (NAT) and firewall scenarios to overcome.
The iLnkP2P is a software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.
The security engineer, therefore, explains that there are two vulnerabilities that can be exploited if used simultaneously.
- CVE-2019-11219: An enumeration vulnerability in iLnkP2P that allows attackers to search for devices that are online.
- CVE-2019-11220: An authentication vulnerability that allows attackers to intercept connections to devices and perform intermediary attacks. An attacker could use this to steal and control the devices password.
Consequently, Paul Marrapese recommends users to:
- Purchase new equipment from a trusted vendor;
- Disable P2P functionality by blocking outbound traffic to UPD port 32100.