In: Computer Science
In April 2019, Paul Marrapese, an independent security
researcher from San Jose,
California, has published research warning that peer-to-peer
software developed by
Shenzhen Yunni Technology firm, that's used in millions of IoT
devices around the world,
has a vulnerability that could allow an attacker to eavesdrop on
conversations or press
household items into service as nodes in a botnet.
The software, called iLnkP2P, is designed to enable a user to
connect to IoT devices from
anywhere by using a smartphone app. The iLnkP2P functionality is
built into a range of
products from companies that include HiChip, TENVIS, SV3C,
VStarcam, Wanscam, NEO
Coolcam, Sricam, Eye Sight, and HVCAM.
What Marrapese found is that as many as 2 million devices, and
possibly more, using
iLnkP2P software for P2P communication do not have authentication
or encryption
controls built-in, meaning that an attacker could directly connect
to a device and bypass
the firewall. Marrapese discovered the iLinkP2P flaw after buying
an inexpensive IoT-
connected camera on Amazon.
"I found that I was able to connect to it externally without any
sort of port forwarding,
which both intrigued and concerned me," Marrapese told Information
Security Media
Group. "I found that the camera used P2P to achieve this, and
started digging into how
it worked. From there, I quickly learned how ubiquitous and
dangerous it was."
While the flaws with the iLnkP2P peer-to-peer software apparently
have not yet been
exploited in the wild, Marrapses believes it's better for consumers
to know now before
an attacker decides to start taking advantage of this particular
vulnerability.
"There have been plenty of stories in the past about IP cameras and
baby monitors being
hacked, but I believe iLnkP2P is a brand new vector not currently
being exploited in the
wild," Marrapese says. "With that being said, the biggest
motivation behind this
disclosure is to inform consumers before it's too late - because I
believe it's only a matter
of time."
As part of his research, Marrapese says he attempted to contact not
only Shenzhen
Yunni Technology but also several of the IoT manufacturers that use
the company's P2P
software. As of Monday, even after publishing results,
he had not heard back from
anyone.
Users of IoT devices that make use of the iLnkP2P software scan a
barcode or copy a six-
digit number that is included in the product. From there, the owner
can access the
device from a smartphone app.
It's through these unique identifier numbers that Marrapese was
able to discover that
each device manufacturer used a specific alphabetic prefix to
identify their particular
product. For instance, HiChip uses "FFFF" as a prefix for the
identification number for its
devices. Once Marrapese was able to identify these devices through
the unique number
systems, he created several proof-of-concept attacks that took
advantage of the flaws
in the software.
[Source:
https://www.databreachtoday.com/2-million-iot-devices-have-p2p-software-
flaw-researcher-a-12428 Accessed July 2020]
a) In this case study, it is mentioned that vulnerable
IoT devices can service as nodes
in a botnet. Explain the working mechanism of a Botnet. Discuss any
two attacks
carried out by a botnet.
b) Report the importance of security in IoT devices. How
does encryption help improve
security for these devices?
c) Discuss the importance of lightweight cryptography in
IoT enabled low-power
devices. List the potential lightweight cryptographic algorithms
for low-power IoT
devices.