Over 3.5 million security cameras worldwide that have iLnkP2P protocol and use CamHi App can be hacked into and spied on
This is one vulnerability that could affect anyone who has purchased an Accfly, Elite Security, Genbolt, ieGeek, and SV3C security camera from Amazon or purchased any security cameras made by Alptop, Besdersec, COOAU, CPVAN, Ctronics, Dericam, Jennov, LEFTEK, Luowice, QZT, HiChip, TENVIS, VStarcam, Wanscam, NEO Coolcam, Sricam, EyeSight, HVCAM, Tenvis, and/or PNI sold on Amazon.nl in the Netherlands
Which? believes that nearly 3.5 million of the security cameras sold under above and another 101 brands could be vulnerable to hacking because they use an App called CamHi to connect with your smartphone.
Which? security researchers collaborated with Paul Marrapese, a US-based security researcher, and have found that nearly 3.5m security cameras installed worldwide that are at risk. Out of these 3.5 million, a majority are installed in different countries in Asia while 700,000 are active across Europe, including more than 100,000 in the United Kingdom.
Which? says that the vulnerability is due to a flaw in the design of the cameras and the CamHi App they use. Using this vulnerability any potential hacker can:
- Access the video stream of your camera to spy on your home
- Talk to people in your home if the camera has a microphone
- Steal or change your password
- Find the exact location of your home
- Target other devices connected to your home network
- Turn your security camera to an online botnet to conduct DoS and DDoS attacks or launch malware.
Which? says that there is nothing anyone can do to protect themselves if they have brought the above cameras and are using it through the CamHi App. The vulnerability exists in the way these camera brands use “peer-to-peer” (P2P) protocol that allows users to connect to their devices the moment they come online. Hackers are able to exploit flaws in these features to rapidly find vulnerable cameras, then launch attacks to access them – all without the owner’s knowledge.
All the above security cameras and dozens more use a component called iLnkP2P for P2P connection. iLnkP2P was developed by Shenzhen Yunni Technology Company, Inc. and the two vulnerabilities in it have been given unique CVE identifiers.
CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that allows attackers to rapidly discover devices that are online. Due to the nature of P2P, attackers are then able to directly connect to arbitrary devices while bypassing firewall restrictions.
CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that allows attackers to intercept connections to devices and perform man-in-the-middle attacks. Attackers may use this vulnerability to steal the password to a device and take control of it.
The researchers have identified at least 47 security camera brands that use this particular iLnkP2P software and can be hacked and spied on. Although many of the above camera brands have been removed from sale, many remain available from online marketplaces such as Amazon, eBay, AliExpress, and Wish.com and other online stores worldwide. Paul Marrapese has listed the UID prefixes of the security cameras which are vulnerable to this vulnerability on his blog. If you find your UID on the list, you should immediately replace your security camera, baby monitor camera or CCTV camera.
In addition to the CamHi App, Marrapese says that following Android Apps may also be vulnerable to hacking/spying:
HiChip: CamHi, P2PWIFICAM, iMega Cam, WEBVISION, P2PIPCamHi, IPCAM P
VStarcam: Eye4, EyeCloud, VSCAM, PnPCam
Wanscam: E View7
NEO: P2PIPCAM, COOLCAMOP
The researchers say that there is no way to mitigate these flaws and security camera buyers should only buy from branded manufacturers who have their own P2P protocol.