Hundreds of brands of security cameras, baby monitors, and “smart” doorbells have serious vulnerabilities that allow hackers to hijack devices and spy on users.
Affected devices use “peer-to-peer” features (also known as “P2P”) that allow users to connect to their devices the moment they come online. Hackers are able to exploit flaws in these features to rapidly find vulnerable cameras, then launch attacks to access them.
Other flaws make it possible for anyone to intercept connections to cameras, then covertly monitor video feeds and steal device passwords – all without the owner ever knowing.
As of August 2020, over 3.7 million vulnerable devices have been found on the Internet.
Am I affected?
A script for finding vulnerable P2P devices on the local network is available on GitHub.
Unfortunately, identifying affected devices by brand name is difficult, as hundreds of different brands use the vulnerable P2P features. If you are able to access your device from the Internet despite having a router/firewall in place, it may be using P2P.
Vulnerable devices will have a special serial number known as a UID, which may be printed somewhere on the device.
A UID will look like:
In this example,
FFFF is the device’s prefix. Other common prefixes include:
What can I do?
Ideally, buy a new device from a reputable vendor. Devices that use peer-to-peer are exposed by design, and are often riddled with security problems that put their owners at risk.
If disposing of the device is not possible, the P2P functionality may be effectively neutered by blocking outbound traffic to UDP port 32100. This will prevent devices from being accessed from external networks via P2P (though local access will still work).
What is P2P?
P2P is a feature included in many devices that allows them to be accessed without any manual configuration. By using a special serial number known as a UID, users may instantly connect to their device from their phone or computer. A main selling point of P2P devices is that they do not require port forwarding or dynamic DNS in order to be accessed, and are capable of getting past NAT and firewall scenarios automatically.
What is Shenzhen Yunni iLnkP2P?
Shenzhen Yunni iLnkP2P is a P2P solution present in over 3.6 million devices.
Devices utilizing iLnkP2P suffer from critical vulnerabilities that allow attackers to calculate UIDs and rapidly discover devices that are online. Due to the nature of P2P, attackers are then able to directly connect to arbitrary devices while bypassing firewall restrictions (CVE-2019-11219).
Additionally, attackers may perform man-in-the-middle attacks over the Internet, which can expose device credentials and sensitive information such as video/audio streams (CVE-2019-11220).
What is CS2 Network P2P?
CS2 Network P2P is a P2P solution present in over 50 million devices.
Devices utilizing CS2 Network P2P suffer from critical vulnerabilities that allow attackers to perform man-in-the-middle attacks over the Internet, which can expose device credentials and sensitive information such as video/audio streams (CVE-2020-9525, CVE-2020-9526).
Are all P2P devices vulnerable to these issues?
No. There are several different P2P solutions in use by different vendors. These issues are specific to devices that use Shenzhen Yunni iLnkP2P and CS2 Network P2P.
Is P2P the same as UPnP?
No. P2P is not related to UPnP in any way, and will function regardless of UPnP configuration.
My device encrypts traffic. Am I safe?
Probably not. Analysis of a wide range of devices has suggested that most devices do not employ encryption at all, or do so in an insecure fashion. Some vendors (notably VStarcam) have gone as far as outright lying about their use of encryption.
I use a very strong password. Am I safe?
Probably not. Due to the poor encryption practices mentioned above, it is possible for attackers to outright steal a password by performing a man-in-the-middle attack.
My device is on a VLAN. Am I safe?
No. While a VLAN can help to protect the rest of the network if a device is compromised, it would still be possible for an attacker to discover and access a vulnerable device.
I don’t care if a hacker can see my video!
Hackers may not be limited to accessing video. Hackers can use P2P to connect to an exposed device and then exploit underlying vulnerabilities to completely take control of it.
With this level of access, attackers can use the device (and your Internet connection) however they please. They may be able to attack other computers on your network, and even pinpoint the exact location of your home.
Who are you?
I am Paul Marrapese, an OSCP-certified security engineer from the Bay Area, California. These vulnerabilities were discovered and reported by me as part of an independent research effort.