The vulnerability exisits in the company’s P2P SDK, a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.
Nozomi Networks has shared details of a critical IoT supply chain vulnerability that might be exposing millions of internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.
Flaw Identified in ThroughTek’s P2P SDK
The flaw was discovered in ThroughTek’sr software component used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices. The vulnerability is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.
SEE: Hackers access 150,000+ security cameras in massive hack
It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely. Moreover, it can allow attackers to carry out device spoofing, eavesdropping on camera audio/video, and hijack device certificates.
CISA Releases Security Alert
On June 15th 2021, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:
“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”
CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.
Packets connected to iotcplatform.com, the domain name accessed by clients of ThroughTek’s P2P platform. (Image: Nozomi Networks)
The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.
ThroughTek’s Response
The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.
