[German]Unpleasant, but not surprising, findings from the Def Con 2020: the vast majority of Internet of Things (IoT) devices are open like a hole and easily hackable. Only idiots, naive people, and hasaders use such devices with (unsecured) access from the Internet. Companies could of course still seal off the Internet of Trouble from the Internet with appropriate gateways – but that is not the issue here.
Routers, network storage systems, cameras, doorbells, HVAC systems, refrigerators, medical equipment, intelligent cars, intelligent home automation and televisions that can be accessed via IP addresses on the Internet fall under the category of IoT, but are a hacker’s paradise. Paul Marese has now shed light on this again at the Def Con 2020.
My @defcon talk “Abusing P2P to Hack 3 Million Cameras” is now live! Come see just how easy it is for anyone in the world to hijack your camera from the comfort of their own home.
— Paul Marrapese (@PaulMarrapese) August 5, 2020
In the tweet above, he focuses on cameras that are accessible via the Internet using the P2P protocol (he has published a script on GitHub). In this YouTube video of the Def Con, another security researcher discusses PowerLine truck hacking.
P2P communication easily hackable
The colleagues at German IT magazine heise have addressed the topic in this article (thanks to Karl for the tip). Overall, Paul Marese has dealt with the peer-to-peer communication protocols (P2P) of various IoT devices. These are used for communication by cameras, doorbells, digital video recorders, NAS systems, networked alarm systems, etc. According to the manufacturer, the iLnkP2P protocol developed by Shenzen Yunni is used in over 3.6 million end devices. And the protocol is functionally identical to the CS2 Network P2P, which is used in more than 50 million end devices. More than 20 devices can be found on Amazon under various brand names.
In P2P networks, ports are always kept open to allow communication with end devices (even behind a router via Network Address Translation, NAT). Nothing can be switched off and the IoT devices have a unique ID (UID) stored in the firmware. heise writes about this::
According to Marese, the P2P servers hosted by the manufacturers, mainly at Amazon’s AWS and Alibaba, use this UID to identify the end device that reports to the server via UDP port 32100. The servers communicate to requesting clients or end devices the public IP address and open port information transmitted by the other side so that the communication partners can contact each other directly.
The problem is now the P2P protocol, which uses the UID consisting of a three- or four-digit prefix. The manufacturers recognize the devices they produce by this UID, a serial number and a checksum. Paul Marese then wrote a script to determine the currently used 488 prefixes. The serial number is assigned sequentially – only the checksum could prevent a hacker from abusing the communication with the devices. But Marese was able to use the iLnkP2P libraries used by the manufacturers to determine the algorithms for calculating this checksum.
Identifying servers, querying and hacking devices
Once this information was available, Marese 618 queried identified P2P servers with the generated UIDs. Using this approach, Marese was able to determine the IP addresses of 3.6 million devices (21% are located in Europe, >50% are 50% in Thailand and China). A Google API made it possible to determine the device location.
Now there is a vulnerability in the firmware of Hichip devices, which are sold millions of times under different names, which leads to a buffer overflow. The buffer overflow allowed the security researcher to open a shell on the device. Since the version of BusyBox installed on the investigated devices works with root privileges throughout, the device was open. The researcher was able to upload and execute arbitrary files – so version 2.0 of the next botnet is practically open. According to Marese, P2P protocols are also vulnerable to man-in-the-middle attacks, and attackers can intercept communication between the server and the IoT device. When logging on to the server via UID, the IoT device then sends the user name and password to the server to log on.
During his work, Marese found a total of seven critical vulnerabilities that were assigned CSV numbers. The developer Shenzen Yunni has not reported back in over a year and a half and has not provided an update, heise said. CS2 Network P2P wants to fix the problems in the upcoming version 4.0 of the protocol and Hichip has closed its three holes in June 2020 via update. But most IoT devices never see a firmware update. The only conclusion is: Do without IoT devices – or at least do not connect them to the Internet (if they still work). Brave New World – fits perfectly to my article Expired certificates kick IoT devices out of business from June 2020. And then there is the Ripple20 bug, which targets IoT devices (see here and the following tweet).
— Steven Krohn | Krohn Media (@stevekrohn) August 6, 2020
Wait till the new cars come along and hit you with one of these… brave new world.