Security News > 2021 > June > Millions of Connected Cameras Open to Eavesdropping
Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency.
The bug has been introduced via a supply-chain component from ThroughTek that's used by several original equipment manufacturers of security cameras - along with makers of IoT devices like baby- and pet-monitoring cameras, and robotic and battery devices.
The ThroughTek component at issue is its peer-to-peer software development kit, which has been installed in several million connected devices, according to the supplier.
A network video recorder, which is connected to security cameras and represents the local P2P server that generates the audio/video stream.
In analyzing the specific client implementation for ThroughTek's P2P platform and the network traffic generated by a Windows client connecting to the NVR through P2P, Nozomi researchers found that the data transferred between the local device and ThroughTek servers lacked a secure key exchange, relying instead on an obfuscation scheme based on a fixed key.
IoT camera bugs are hardly rare: Last month owners of Eufy home-security cameras were warned of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds.
News URL
https://threatpost.com/millions-connected-cameras-eavesdropping/166950/