If you bought a security camera, webcam, baby monitor, smart doorbell, digital video recorder or other IoT device manufactured in China, there is bad news. Security flaws have been discovered that can easily allow an attacker remote access, remote control, and password discovery on affected systems. These devices can also be hijacked to use in a variety exploits including eavesdropping through on-board microphones, image capture of what the camera can see, and inclusion in a botnet used for DDoS, crypto-mining, and other attacks.
There are problems in the iLnkP2P software that was developed by Chinese software developer Shenzhen Yunni Technology. According to security researcher Paul Marrapese, there are more than 2 million devices affected by this vulnerability.
Unfortunately, this software is used by many equipment manufacturers (OEMs), so listing the affected brands is a difficult task, especially when considering that a single manufacturer may be white-labeling products for several different brands.
One way to determine if you device is affected is to look for the Unique Identifier number or UID on the device. This is how the software connects to the cloud controller and your online user account. Below is a list of most of the UID initial prefixes.
Many of these devices are also still using the manufacturer’s default administrative ID and default password. Default passwords for devices like this are available on the manufacturer’s website, as well as dozens of password aggregation sites. When you buy one of these devices, consumers are strongly urged to change these passwords. And store you passwords in a safe place such as a password manager program.
If you are joining the IoT revolution and creating a smart home full of smart devices, then actually be smart about it and take a few moments to properly secure all these smart appliances.