see url: https://www.theregister.com/2020/08/10/iot_p2p_horror/
see full article...
Quote
In-depth dive into protocols exposing countless gadgets to miscreants.
DEF CON More than 3.7 million. That's the latest number of surveillance
cameras, baby monitors, doorbells with webcams, and other
internet-connected devices found left open to hijackers via two insecure
communications protocols globally, we're told.
This is up from estimates of a couple of million last year. The
protocols are CS2 Network P2P, used by more than 50 million devices
worldwide, and Shenzhen Yunni iLnkP2P, used by more than 3.6 million.
The P2P stands for peer-to-peer. The devices' use of the protocols
cannot be switched off.
The upshot is Internet-of-Things gadgets using vulnerable iLnkP2P
implementations can be discovered and accessed by strangers,
particularly if the default password has not been changed or is easily
guessed. Thus miscreants can abuse the protocol to spy on poorly secured
cameras and other equipment dotted all over the world (CVE-2019-11219).
iLnkP2P connections can also be intercepted by eavesdroppers to snoop on
live video streams, login details, and other data (CVE-2019-11220).
Meanwhile, CS2 Network P2P can fall to the same sort of snooping as
iLnkP2P (CVE-2020-9525, CVE-2020-9526). iLnkP2P is, we're told,
functionally identical to CS2 Network P2P though there are some differences.
The bugs were found by Paul Marrapese, who has a whole site,
hacked.camera, dedicated to the vulnerabilities. "As of August 2020,
over 3.7 million vulnerable devices have been found on the internet,"
reads the site, which lists affected devices and advice on what to do if
you have any at-risk gear. (Summary: throw it away, or try firewalling
it off.)
End of Quote
