Table of Contents
In an advisory published Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) detailed a critical software supply-chain vulnerability affecting ThroughTek’s software development kit (SDK). An adversary could exploit this vulnerability to gain improper access to audio and video streams.
“Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”
With ThroughTek’s point-to-point (P2P) SDK, users of devices with video surveillance functions can also get remote access to video and audio content over the internet. These devices include IP cameras, pet and baby monitors, smart appliances, and sensors.
The flaw, CVE-2021-32934 (CVSS: 9.1), affects ThroughTek P2P products, versions 3.1.5 and before, and SDK versions with no SSL tag and stems from an insufficiently protected back channel between hardware and ThroughTek servers.
According to Nozomi Networks, who reported the vulnerability in March 2021, the use of vulnerable security cameras could expose the sensitive business, production, and employee information, putting critical infrastructure operators at risk.
The San Francisco-headquartered IoT security firm said.
“The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key. Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.”
Scientists created a proof-of-concept (PoC) exploit that deciphers on-the-fly traffic packets to demonstrate vulnerability. We recommend all original equipment manufacturers (OEMs) using SDK 3.1.10 or higher enable AuthKey and DTLS, and those on previous versions of SDK should upgrade their libraries to 188.8.131.52 or v184.108.40.206 and enable both features.
As the flaw impacts a component included in the supply chain for many leading OEMs of consumer-grade security cameras and IoT devices, exploitation of the flaw could effectively compromise the devices’ security by enabling the attacker to track and view audio and view audio-video streams.
The researchers said:
“Because multiple vendors have integrated ThroughTek’s P2P library into many different devices over the years, it’s virtually impossible for a third-party to track the affected products.