A security researcher who disclosed flaws impacting 2 million IoT devices in April – and has yet to see a patch or even hear back from the manufacturers contacted – is sounding off on the dire state of IoT security.

More than 2 million connected security cameras, baby monitors and other IoT devices have serious vulnerabilities that have been publicly disclosed for more than two months – yet they are still without a patch or even any vendor response.

Security researcher Paul Marrapese, who disclosed the flaws in April and has yet to hear back from any impacted vendors, is sounding off that consumers throw the devices away. The flaws could enable an attacker to hijack the devices and spy on their owners – or further pivot into the network and carry out more malicious actions.

“I 100 percent suggest that people throw them out,” he told Threatpost in a podcast interview. “I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue.”

Marrapese said that he sent an initial advisory to device vendors in January, and after coordinating with CERT eventually disclosed the flaws in April due to their severity. However, even in the months after disclosure he has yet to receive any responses from any impacted vendors despite multiple attempts at contact. The incident points to a dire outlook when it comes to security, vendor responsibility, and the IoT market in general, he told Threatpost.

“I wish I was more optimistic about it truly,” he said. “Security, I mean, it’s an industry wide issue, where a lot of companies don’t really know how to properly threat model and how to properly test their products or how to properly architect these things …But even if that’s the case, what’s more troubling is when the vulnerabilities are inevitably discovered, there’s no response. I’ve heard from a lot of other researchers, basically the exact same story that I went through where an issue was discovered, and they tried to reach out to them and just got absolute radio silence or total denial.”

For the full interview, listen to the Threatpost podcast.

For direct download, click here.

Below is a lightly-edited transcript of the interview.

Lindsey O’Donnell: Welcome to the Threatpost podcast. I’m Lindsey O’Donnell with Threatpost and I’m here today with security researcher Paul Marrapese. Paul, thanks for joining us today. How are you doing?

Paul Marrapese: I’m doing pretty well. How are you?

LO: I’m good, good to hear. So you found some security vulnerabilities in April in security cameras and some other connected devices. And I want to talk a bit about that today. But first of all, could you tell us a little bit about yourself and your background in security?

PM: Sure. Yeah, I’ve been in security really, since I was a little kid. It was ultimately a motivation that got me to learn how to program, probably starting around when I was 10 or 11 years old. And as my career progressed, I went from system administration to software development, and then ultimately security.

LO: So you’ve really had that transition there.

PM: Yeah, yeah. And having that sort of background has given me a pretty good ability to get in the mindset of people who are developing these things and find real actual threats.

LO: Right. And that’s so important to when it comes to IoT, which we’re going to be talking about today, because I feel like there are so many different components that go into IoT devices from software to hardware to app dev to everything else. So I’m sure that that really comes to play when you’re looking at these types of devices.

PM: Absolutely.

LO: So going back to April, just for the background of the listeners, you found that the peer-to-peer (P2P) communications technology that was built into millions of security cameras and other consumer electronics included several critical security flaws, and these expose the devices to attacks like eavesdropping, credential, theft, remote compromise. So I really want to get a sense of the background behind you research and how you first stumbled upon these security flaws. Can you tell us the story there from your perspective, you know, walk us through how you made this discovery?

PM: Sure, I think it’ll be beneficial to describe how older generations of security cameras used to really work. Traditionally, what you would have to do is once you would attach it to your network, you would have to forward some ports or set up dynamic DNS, basically some way to make it so you could access it externally. So, back in January 2018, I had bought a camera, and I had plugged it in and realize I was able to connect to it immediately. So no manual setup, it had just automatically configured itself, and that both kind of intrigued me and also sort of freaked me out, right. So that was really the inspiration to start digging in to see how does this work. And ultimately, that turned out to be the P2P functionality. And digging into that deeper, I started to realize that that’s really a pretty common feature in cameras these days.

LO: Can you just for a second describe peer to peer communications and what functionality that has for IoT devices and its prevalence?

PM: Sure. Well, on a high level, it just makes it so you don’t have to actually configure anything. In order to connect to it, you don’t have to forward any ports, you don’t have to set up any dynamic DNS hosts or anything like that. The way that it works is it’s going to basically phone home back to manufacturer servers, and it’ll coordinate between the device that’s trying to connect and the device itself through a number of means. There’s a few ways that it can do this. And those ways can make it particularly tricky to block.

LO: So this specific solution that you were looking at was iLnkP2P, which I don’t know if I pronounced that the right way, but –

PM: Yes, that’s correct. Yeah.

LO: Right. So that was developed by a China-based company called Shenzhen Yunni Technology. And so how many devices or brands, I guess, have different security cameras and other IoT devices were using this?

PM: It’s tricky to really specify the exact number. The reason for that is because white labeling is extremely prevalent in the industry. So what you end up getting is there’s perhaps a couple main manufacturers who then resell and those resellers may resell and on and on and on. So you may literally end up with hundreds of different distributors, so the number one way to correlate these was just by the firmware or the apps that were being used, but in terms of the actual number of distributors really, my guess is easily hundreds of them.

LO: I’m sure that threw a wrench into trying to figure out all the different devices that were vulnerable and the whole process of disclosure there as well.

PM: It did. Yeah, it became very difficult. And there was a lot of chasing, there was a lot of dead ends, because a lot of the companies that didn’t exist anymore, there was no website up, no way to get in touch with them. So it really came down to a lot of analysis to find the common components between these different things and trying to get leads through that.

LO: Right. So yeah, I want to talk about disclosure in a second. But I do want to also look at the vulnerabilities themselves from a technical standpoint. In your report, you had mentioned there were two vulnerabilities. Is that correct?

PM: That’s correct. Yes.

LO: So one was an enumeration vulnerability, and the other was the authentication flaw. So can you kind of break those two bugs down and how easy it would be to exploit them and you know, what an attacker would really need. I mean, could it be remote or what kind of privilege they would need.

PM: Sure. So for the enumeration vulnerability, basically the way that P2P works is when, say you’re on your phone and say you’re outside, you want to connect to your camera, the way that that typically works is you have a special serial number known as a UID. And you put that into your app, and then that’s going to go to the manufacturer servers and coordinate the connection. So the UID is basically the ultimate way to connect to the device. So the reason that that’s particularly sensitive, especially with P2P, is because the whole point P2P is to arrange a direct connection, it’s to jump firewalls. So if you have that you can, you know, make a direct connection. That’s the point of it.

LO: Right.

PM: So the fact that you’re able to predict these values is extremely dangerous because you can really just, what I did was I just wrote a script that was able to just kind of keep on calculating them and keep on finding them and establish direct connections to them. So in total, I was able to find over 2 million of them around the world just from that weakness alone. The second vulnerability basically has to do with how the device itself will phone home and keep a connection with those manufacturer servers. And we found that basically, you can forge the message that it sends back to the master servers. And what that will do is it provides an attacker with the opportunity to make it so you’ll connect to them instead of the actual device, at which point your phone will try to authenticate to the attacker basically. And they can, at that point, get the password, they can intercept any video that you might be streaming. So when you combine those two things, it’s extremely scary because you can basically just pick arbitrary devices and steal their passwords. And if you were to really scale this up, you could do this on a very large level and just start compromising devices left and right.

LO: I feel as though one of the reasons why IoT security in particular is so disturbing, is because these are right in the home or, you know, the enterprise office or wherever the security cameras might be. So it just really gives you that more personalized look into these video streams, which is pretty scary.

PM: Yeah, extremely invasive. Yeah. I have seen folks who say, oh, you know, what’s the big deal this thing is just pointing out in my yard or watching my dog or something like that. One other threat that a lot of people don’t really realize is a very common use of getting an entry point like this is to pivot. So what that means is an attacker might get in through this way and they may not actually be interested in the camera itself, they may go, oh, what other devices are on this network? So whether that’s other computers or other IoT devices, then they can potentially keep on moving throughout the network. If this is a business, for example, they may find a server. So this can very quickly escalate to other more serious things than spying on people. Not that that isn’t bad.

LO: Yeah, that’s very invasive. Did you get a sense of whether the brands that were vulnerable, or I guess the devices, were they more consumer devices or more on that commercial side or a mix of the two?

PM: It’s certainly a mix. I would say that mostly, you’ll find these things in residences, but I think a great example is restaurants, like whenever I’m going out to eat I usually try to keep an eye out for cameras that restaurant owners might stick in their businesses and occasionally I will find one that is like a brand name that I recognize. I see these in larger corporations like those might have more professional security systems, but smaller mom and pop places, you can definitely find these things too.

LO: Right. I’m sure it’s hard to recognize those in restaurants or whatnot, because you know, you can’t really do anything about it. I mean, what was your advice to users of the devices once the vulnerabilities were disclosed?

PM: I 100 percent suggest that people throw them out. I really, I don’t think that there’s going to be any patch for this. The issues are very, very hard to fix, in part because, once a device is shipped with a serial number, you can’t really change that, you can’t really patch that, it’s a physical issue. So I say I don’t think there’s going to be a fix. And the thing is that even if you were to segment these things on an independent network, people could still potentially hijack the passwords because of how these vulnerabilities work. So I say, to stitch these things, it’s not worth, you know, the $20 that was spent on them. Just try to get something from a reputable vendor.

LO: I wanted to ask you a bit about that process of disclosure because you sent the initial advisory to device vendors in January. You know, in your research, you said that you hadn’t received any responses from many of the vendors and I’m sure this is also tons of different companies and vendors that you had to juggle at the same time. So can you break down how that process was and since you released the research in April, have you heard back yet from anyone?

PM: So as I was kind of correlating the devices to various OEMs and manufacturers, I was able to get a couple of contact email addresses and they were my first point of contact. Tried to reach out to all of them probably two or three times – I think there was like six or seven different ones – Not one of them responded to me. After a good couple of weeks, I just went right to CERT, which is the computer emergency response team who is very helpful in the process of trying to reach out to vendors and trying to coordinate this whole thing. They didn’t receive a response either. So they also reached out to China’s CERT. And from what I understand they didn’t get a response from them either. So I gave a 90 day heads up, like I informed the manufacturers, my intent was to disclose because this is such a serious issue. And since I got no response, we just went ahead with disclosure.

LO: It’s pretty crazy, looking at IoT devices in general, five years ago, I was maybe more hopeful that market pressures would drive security for these connected devices and that the connected device state of security would improve but at this point, I’m feeling a lot more pessimistic over the past two years or so, I mean, from your perspective, having dealt with various manufacturers across the industry what’s your thoughts overall on IoT security and whether you think devices will ever be secure?

PM: I wish I was more optimistic about it truly. Security, I mean, it’s an industry wide issue, where a lot of companies don’t really know how to properly threat model and how to properly test their products or how to properly architect these things. So these issues don’t happen to begin with. Even when you do have all those measures in place, I mean, vulnerabilities can still happen. And that’s just a fact of life. I mean, that’s, that’s human nature. We can’t develop perfect things, and that’s fine, but they just have to be addressed properly. So unfortunately, I don’t know if I really see any proper architecting and going into these because especially with China, it’s usually just a rush to get to market as soon as possible. And there’s not really a lot of thought going into some of these things. But even if that’s the case, what’s more troubling is when the vulnerabilities are inevitably discovered, there’s no response. I’ve heard from a lot of other researchers, basically the exact same story that I went through where an issue was discovered, and they tried to reach out to them and just got absolute radio silence or total denial. So it’s unfortunately, a pattern. And I don’t know if I see that going away anytime soon.

LO: Right. And we are seeing new regulatory efforts, and which I don’t know if you’re familiar with California Senate Bill 327. And we have the UK government announcing a new mandate promising new requirements for IoT manufacturers. Does that make you more hopeful at all? Or do you think that more needs to be kind of fleshed out in terms of making more requirements for IoT vendors.

PM: I don’t know the particular details of those. But one thing that I can pretty much say is it really also kind of comes down to if you’re buying something from outside of where those laws have effect. So if, obviously, I’m in the United States, but if I buy something from China where there’s different regulations, and those laws can be enforced, at that point, the way that this issue could kind of be remediated is the supplier level where the supplier – so if I getting this from Amazon, for example – perhaps they should have better sort of selection from what they’re offering. If they’re selling products from China, and they know that the laws there aren’t as strict, they’re still ultimately bringing those defective products into the country and the issue is going to continue here.

LO: That’s a really good point. And I think that the cost aspect of it will be a big play in the future as well. I’m not sure how much that would drive security. But I know, right now, like you said, a lot of manufacturers are looking to get their devices out ASAP at the lowest price. But I don’t know if in a year or two that’s going to be worth the continued lack of security that are in these devices and particularly as consumers and enterprises become more aware of that. So, should be should be interesting to see. Well, Paul, thank you so much for coming on to the Threatpost podcast today and talking a little bit about IoT devices and your research there.

PM: Of course, thank you for having me.

LO: Great. Once again. I am Lindsey O’Donnell with Threatpost and we had a great discussion today with security researcher Paul Marrapese.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts from Malwarebytes, Recorded Future and Moss Adams as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.