News

Some thoughts on IOT devices, the more I see the more questions I have.

With the rise of IOT devices there were many concerns about the security of said devices. There are many way this subject can be discussed but the perspective I would like to approach begins with a question:

Who allows them to exist on the market ?

In countries such as UK or US it is possible to legally obtain any device (Smart Watch, Baby monitor, Drone, Smart Fridge, GPS tracker etc.) that can be connected via WiFi or 3G back to the owner and provide remote command and control features.

Referring back to Troys Hunt article on :

How to Track Your Kids (and Other People's Kids) With the TicTocTrack Watch

Article goes on to explain how easy it is for an attacker to assume the position of an owner of an IOT device and control whatever there is in the reach.

Interestingly Juergen commented:

Quick comment on why parents in Germany had to destroy them.. that wasn't just because of these specific watches, but part of a crackdown on a whole class of illegal surveilance devices - the watches were merely the tip of the festering boil. You'll recall in recent years Germany ALSO banned for example internet-connected dolls.

The legal reasoning behind it is pretty straightforward: You're not allowed to buy/own devices that can be used to transmit audio or video data AND that look like ordinary household devices. No wifi spycams hidden in alarm clocks, no voice-activated dolls, no snooping wristwatches. And it's not merely using them that's banned - possessing them is also illegal. If you try to import them from China and get caught, it can get pretty expensive. Hence people were told to smash them if they already have them at home (and then dispose of the remains in an environmentally friendly way) - it's the only way to get rid of them, you can't just flog them on Ebay to some unsuspecting punter.

Why would Germany prohibit those devices on the market but other countries would not?

If you think that a threat to citizens privacy should be enough to stop those devices from being available how about a threat to personal safety ?

Threat wire

Devices that use the following Android apps may be vulnerable:

  • HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P

  • VStarcam: Eye4, EyeCloud, VSCAM, PnPCam

  • Wanscam: E View7

  • NEO: P2PIPCAM, COOLCAMOP

  • Sricam: APCamera

  • Various: P2PCam_HD

Interesting to note, the manufacturers and app developers come from China.

How much urgency is given when the disclosure is being made:

Disclosure timeline

Date

Event

Jan. 15, 2019

Initial advisory issued to device vendors.

Jan. 17, 2019

No responses received. 2nd advisory issued to vendors.

Jan. 24, 2019

No responses received. 3rd advisory issued to vendors with intent to disclose.

Feb. 4, 2019

Developer of iLnkP2P identified. Initial advisory issued to developer with intent to disclose.

Feb. 14, 2019

No responses received. 2nd advisory issued to developer.

Feb. 19, 2019

No responses received. Vulnerabilities reported to CERT/CC.

~Apr. 1, 2019

CERT/CC relays vulnerabilities to CNCERT/CC.

Apr. 11, 2019

CVE-2019-11219 and CVE-2019-11220 reserved by MITRE.

Apr. 24, 2019

Public disclosure.

Crucial point from the research above is the vulnerability that exists with the iLnkP2P manufacturer:

The security flaws involve iLnkP2P, software developed by China-based Shenzhen Yunni Technology. iLnkP2p is bundled with millions of Internet of Things (IoT) devices, including security cameras and Webcams, baby monitors, smart doorbells, and digital video recorders.

krebsonsecurity

Is it carelessness and a desire to save money during development that drives those products to the market or a deliberate attempt (by whom?) to use providers who are not so mindful of the security side of the product? Or maybe it is a conjunction of both of those perspectives that accomplishes the end goal ? How do you really describe a product that is designed to provide you safety and security yet in the background compromises your safety and security ? Those questions need answers.

What is the scope of the damage/benefit ?

Surely somebody takes charge of whether a certain product should exist in our digital life even though, ironically most of those devices were released under the guise of providing more safety and peace of mind for the owner.

People subscribed to the idea of peace and safety through electronic means, one device at a time (2M of them):

illusion of safety and peace of mind on the map - seems like we have an app for that.

Take an example of Kaspersky Anti-Virus with its HQ in Moscow. Regardless of validity of allegations that KAV collects user information or not, US since 2017 will not permit any of their Russian counterpart software to exist on any government and corporate? computers under a suspicion that it might.

reference.

Point here is not to assess the security side of Kaspersky but to show that those in charge have the power to stop the foreign product from being sold when there is a suspicion of a threat.

Why not do the same with vulnerable IOT devices ? Certainly we cannot do the same and ban Chinese products on the market as this way we would we not have an access to well... our beloved phones that we get excited to show off (and provide free marketing) to our friends and family - phones manufacturers market share. Leading providers are Samsung, Huawei, Apple, Xiaomi after all. Is it the problem with filtering and distinguishing bad apple from a good apple ?