Millions of Chinese-made IoT Devices Easily Hacked says Brian Krebs

If you bought a security camera, webcam, baby monitor, smart doorbell, digital video recorder or other IoT device manufactured in China, there is bad news.  Security flaws have been discovered that can easily  allow an attacker remote access, remote control, and password discovery on affected systems.  These devices can also be hijacked to use in a variety exploits including eavesdropping through on-board microphones, image capture of what the camera can see, and inclusion in a botnet used for DDoS, crypto-mining, and other attacks.

There are problems in the iLnkP2P software that was developed by Chinese software developer Shenzhen Yunni Technology.  According to security researcher Paul Marrapese, there are more than 2 million devices affected by this vulnerability.

Unfortunately, this software is used by many equipment manufacturers (OEMs), so listing the affected brands is a difficult task, especially when considering that a single manufacturer may be white-labeling products for several different brands.

One way to determine if you device is affected is to look for the Unique Identifier number or UID on the device.  This is how the software connects to the cloud controller and your online user account.  Below is a list of most of the UID initial prefixes.

Many of these devices are also still using the manufacturer’s default administrative ID and default password.  Default passwords for devices like this are available on the manufacturer’s website, as well as dozens of password aggregation sites.  When you buy one of these devices, consumers are strongly urged to change these passwords.  And store you passwords in a safe place such as a password manager program.

If you are joining the IoT revolution and creating a smart home full of smart devices, then actually be smart about it and take a few moments to properly secure all these smart appliances.

More information:

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Owner of the WyzCo Group Inc. In addition to consulting on security products and services, Bob also conducts security audits, compliance audits, vulnerability assessments and penetration tests. Bob also teaches Cybersecurity Awareness Training classes. Bob works as an instruction for CompTIA’s non-profit IT-Ready Program in the Twin Cities. IT-Ready is a tuition free 8-week program designed to teach students of all ages the fundamentals of IT support to prepare them for an entry level position in Information Technology Support. Graduates of the classes take the exams to become CompTIA A+ certified. Bob is a frequent speaker at conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. Bob has been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.