More than two million IoT devices, possibly more, are using a vulnerable P2P firmware component that allows hackers to locate and take over impacted systems.
Vulnerable devices include IP cameras, baby monitors, smart doorbells, DVRs, and many others, manufactured and sold by multiple vendors under hundreds of brands, such as HiChip, TENVIS, SV3C, VStarcam, Wanscam, NEO Coolcam, Sricam, Eye Sight, and HVCAM, just to name a few.
What all these devices have in common is that they use iLnkP2P, a firmware component that allows the device to talk to vendors' servers via the P2P (peer-to-peer) protocol.
Earlier this year, security researcher Paul Marrapese discovered two vulnerabilities in this component --tracked under the CVE-2019-11219 and CVE-2019-11220 identifiers.
According to Marrapese, the first "allows attackers to rapidly discover devices that are online," while the second "allows attackers to intercept connections to devices and perform man-in-the-middle attacks" and "to steal the password to a device and take control of it."
Read more: Over two million IoT devices vulnerable because of P2P component flaws | ZDNet
See also: Security cameras vulnerable to hijacking