Question

In April 2019, Paul Marrapese, an independent security researcher from San Jose,
California, has published research warning that peer-to-peer software developed by
Shenzhen Yunni Technology firm, that's used in millions of IoT devices around the world,
has a vulnerability that could allow an attacker to eavesdrop on conversations or press
household items into service as nodes in a botnet.
The software, called iLnkP2P, is designed to enable a user to connect to IoT devices from
anywhere by using a smartphone app. The iLnkP2P functionality is built into a range of
products from companies that include HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO
Coolcam, Sricam, Eye Sight, and HVCAM.
What Marrapese found is that as many as 2 million devices, and possibly more, using
iLnkP2P software for P2P communication do not have authentication or encryption
controls built-in, meaning that an attacker could directly connect to a device and bypass
the firewall. Marrapese discovered the iLinkP2P flaw after buying an inexpensive IoT-
connected camera on Amazon.
"I found that I was able to connect to it externally without any sort of port forwarding,
which both intrigued and concerned me," Marrapese told Information Security Media
Group. "I found that the camera used P2P to achieve this, and started digging into how
it worked. From there, I quickly learned how ubiquitous and dangerous it was."
While the flaws with the iLnkP2P peer-to-peer software apparently have not yet been
exploited in the wild, Marrapses believes it's better for consumers to know now before
an attacker decides to start taking advantage of this particular vulnerability.
"There have been plenty of stories in the past about IP cameras and baby monitors being
hacked, but I believe iLnkP2P is a brand new vector not currently being exploited in the
wild," Marrapese says. "With that being said, the biggest motivation behind this
disclosure is to inform consumers before it's too late - because I believe it's only a matter
of time."
As part of his research, Marrapese says he attempted to contact not only Shenzhen
Yunni Technology but also several of the IoT manufacturers that use the company's P2P

software. As of Monday, even after publishing results, he had not heard back from
anyone.
Users of IoT devices that make use of the iLnkP2P software scan a barcode or copy a six-
digit number that is included in the product. From there, the owner can access the
device from a smartphone app.
It's through these unique identifier numbers that Marrapese was able to discover that
each device manufacturer used a specific alphabetic prefix to identify their particular
product. For instance, HiChip uses "FFFF" as a prefix for the identification number for its
devices. Once Marrapese was able to identify these devices through the unique number
systems, he created several proof-of-concept attacks that took advantage of the flaws
in the software.
[Source: https://www.databreachtoday.com/2-million-iot-devices-have-p2p-software-
flaw-researcher-a-12428 Accessed July 2020]

a) In this case study, it is mentioned that vulnerable IoT devices can service as nodes
in a botnet. Explain the working mechanism of a Botnet. Discuss any two attacks
carried out by a botnet.

b) Report the importance of security in IoT devices. How does encryption help improve
security for these devices?

c) Discuss the importance of lightweight cryptography in IoT enabled low-power
devices. List the potential lightweight cryptographic algorithms for low-power IoT
devices.

Answer 1

THANK YOU!! PLEASE VOTE