Jump to content
  • Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

    aum

    • 514 views
    • 2 minutes
     Share


    • 514 views
    • 2 minutes

    Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping

     

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams.

     

    "Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds," CISA said in the alert.

     

    ThroughTek's point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.

     

    Tracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between the local device and ThroughTek's servers.

     

    The flaw was reported by Nozomi Networks in March 2021, which noted that the use of vulnerable security cameras could leave critical infrastructure operators at risk by exposing sensitive business, production, and employee information.

     

    ThroughTek-hack.jpg

     

    "The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key," the San Francisco-headquartered IoT security firm said. "Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream."

     

    To demonstrate the vulnerability, the researchers created a proof-of-concept (PoC) exploit that deobfuscates on-the-fly packets from the network traffic.

     

    ThroughTek recommends original equipment manufacturers (OEMs) using SDK 3.1.10 and above to enable AuthKey and DTLS, and those relying on an SDK version prior to 3.1.10 to upgrade the library to version 3.3.1.0 or v3.4.2.0 and enable AuthKey/DTLS.

     

    Since the flaw affects a software component that's part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices, the fallout from such exploitation could effectively breach the security of the devices, enabling the attacker to access and view confidential audio or video streams.

     

    "Because ThroughTek's P2P library has been integrated by multiple vendors into many different devices over the years, it's virtually impossible for a third-party to track the affected products," the researchers said.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...