Question

In April 2019, Paul Marrapese, an independent security researcher from San Jose, California, has published research warning that peer-to-peer software developed by Shenzhen Yunni Technology firm, that's used in millions of IoT devices around the world, has a vulnerability that could allow an attacker to eavesdrop on conversations or press household items into service as nodes in a botnet.

The software, called iLnkP2P, is designed to enable a user to connect to IoT devices from anywhere by using a smartphone app. The iLnkP2P functionality is built into a range of products from companies that include HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM.

What Marrapese found is that as many as 2 million devices, and possibly more, using iLnkP2P software for P2P communication do not have authentication or encryption controls built-in, meaning that an attacker could directly connect to a device and bypass the firewall. Marrapese discovered the iLinkP2P flaw after buying an inexpensive IoTconnected camera on Amazon.

"I found that I was able to connect to it externally without any sort of port forwarding, which both intrigued and concerned me," Marrapese told Information Security Media Group. "I found that the camera used P2P to achieve this, and started digging into how it worked. From there, I quickly learned how ubiquitous and dangerous it was."

While the flaws with the iLnkP2P peer-to-peer software apparently have not yet been exploited in the wild, Marrapses believes it's better for consumers to know now before an attacker decides to start taking advantage of this particular vulnerability.

"There have been plenty of stories in the past about IP cameras and baby monitors being hacked, but I believe iLnkP2P is a brand new vector not currently being exploited in the wild," Marrapese says. "With that being said, the biggest motivation behind this disclosure is to inform consumers before it's too late - because I believe it's only a matter of time." As part of his research, Marrapese says he attempted to contact not only Shenzhen Yunni Technology but also several of the IoT manufacturers that use the company's P2P software. As of Monday, even after publishing results, he had not heard back from anyone.

Users of IoT devices that make use of the iLnkP2P software scan a barcode or copy a sixdigit number that is included in the product. From there, the owner can access the device from a smartphone app.

It's through these unique identifier numbers that Marrapese was able to discover that each device manufacturer used a specific alphabetic prefix to identify their particular product. For instance, HiChip uses "FFFF" as a prefix for the identification number for its devices. Once Marrapese was able to identify these devices through the unique number systems, he created several proof-of-concept attacks that took advantage of the flaws in the software.

a) In this case study, it is mentioned that vulnerable IoT devices can service as nodes in a botnet. Explain the working mechanism of a Botnet. Discuss any two attacks carried out by a botnet.

b) Report the importance of security in IoT devices. How does encryption help improve security for these devices?

c) Discuss the importance of lightweight cryptography in IoT enabled low-power devices. List the potential lightweight cryptographic algorithms for low-power IoT devices.

Answer 1