100,000 Hichip Security Cameras in UK Are Not So Secure, as It Turns Out

Internet-of-things devices have been around for a while, and at this point, few can deny their utility. However, in order to function, they rely on technological interconnectedness – which is more than a boon – hackers have been known to use vulnerabilities in such devices to cause their victims no end of misery.

While high-end devices usually come pre-installed with the necessary security countermeasures to ensure that the consumer is safe from the depredations of ne’er-do-wells. However, the majority of the devices currently in use around the globe are not high-end devices, and it seems like exploitable vulnerabilities in said devices’ code or hardware are discovered every day. This is precisely the case with CVE-2019-11219 and CVE-2019-11220.

Wireless security cameras overwhelmingly employ peer-to-peer (P2P) features, which allow users to connect to their devices instantly when they come online. Unfortunately, a software loophole in iLnkP2P, a P2P solution developed by Shenzhen Yunni Technology Company, has created two distinct vulnerabilities. These are the abovementioned CVE-2019-11219 and CVE-2019-11220.

CVE-2019-11219 refers to an enumeration vulnerability in iLnkP2P that enables hackers to quickly discover devices that are online and available. Due to the way that P2P functions, attackers may then be able to connect to any device they discovered directly, completely bypassing firewall restrictions.

CVE-2019-11220 refers to an authentication vulnerability in iLnkP2P that enables hackers to intercept connections between devices, effectively giving them the opportunity to perform man-in-the-middle attacks. Hackers may take advantage of this vulnerability to gain access to a device and even steal its password.

Bypassed firewalls and stolen device passwords are both big deals when it comes to smart home security. The discovery of these two crucial security flaws effectively renders any wireless security camera into more of a vulnerability than an asset. And the real problem is that the vulnerability affects a wide range of products. Over 100,000 of these unsafe devices are operational in the UK alone, as of the writing of this article.

Which Devices are Affected?

It’s relatively easy to check whether or not your smart security cameras are affected by CVE-2019-11219 and CVE-2019-11220. All you need to do is have a look at the back of the device itself. There should be a special serial number known as an UID there. It consists of a couple of letters, followed by a couple of numbers, then followed by a couple more letters. What you should take note of is the first letter combination. If you find that letter combination among the ones listed below, then your device probably suffers from the vulnerabilities described above.

AABB, AACC AID, AJT, AVA, BSIP, CAM CPTCAM, CTW, DFT, DFZ DYNE, EEEE , ELSA, ESN, ESS, EST, EYE, FFFF, GCMN, GGGG, GKW, HDT, HHHH, HRXJ, HVC, HWAA HZD, HZDA, HZDB, HZDC, HZDN, HZDX, HZDY, HZDZ, IIII, IPC, ISRP, JWEV, KSC, MCI, MCIHD, MDI, MDIHD, MEG, MEYE, MGA, MGW, MIC, MICHD, MMMM, MNC, MSE, MSEHD, MSI, MSIHD, MTE, MTEHD, MUI, MUIHD, NIP, NIPHD, NNNN, NPC, NTP, OBJ, OHT, OPCS, OPMS PAR, PARC, PCS, PHP, PIO PIPCAM, PIX, PNP PPPP, PSD, PTP, QHSV, ROSS, SID, SIP, SSAA, SSSS, SXH, TIO, TSD, UID, VIO, VSTD, VSTF, WBT, WBTHD, WHI, WNR, WNS, WNSC, WNV, WXH, WXO, XDBL, XTST, ZES, ZLD, ZSKJ, ZZZZ

What Should You Do About This?

1. If you already own one of these devices, you should know that it may well end up being a serious security liability. Ideally, you should stop using it and invest in a better product.
2. If you are thinking of buying a wireless security camera – do a bit of research beforehand, make sure the model you’re looking at doesn’t have any documented security flaws, and consider not buying the cheapest one available.