Security News > 2021 > June > Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping
The U.S. Cybersecurity and Infrastructure Security Agency on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit that could be abused by an adversary to gain improper access to audio and video streams.
ThroughTek's point-to-point SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.
Tracked as CVE-2021-32934, the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between the local device and ThroughTek's servers.
The flaw was reported by Nozomi Networks in March 2021, which noted that the use of vulnerable security cameras could leave critical infrastructure operators at risk by exposing sensitive business, production, and employee information.
"The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key," the San Francisco-headquartered IoT security firm said.
ThroughTek recommends original equipment manufacturers using SDK 3.1.10 and above to enable AuthKey and DTLS, and those relying on an SDK version prior to 3.1.10 to upgrade the library to version 3.3.1.0 or v3.4.2.0 and enable AuthKey/DTLS. Since the flaw affects a software component that's part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices, the fallout from such an exploitation could effectively breach the security of the devices, enabling the attacker to access and view confidential audio or video streams.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-05-19 | CVE-2021-32934 | Unspecified vulnerability in Throughtek Kalay P2P Software Development KIT 3.1.5 The affected ThroughTek P2P products (SDKs using versions before 3.1.5, any versions with nossl tag, device firmware not using AuthKey for IOTC conneciton, firmware using AVAPI module without enabling DTLS mechanism, and firmware using P2PTunnel or RDT module) do not sufficiently protect data transferred between the local device and ThroughTek servers. | 7.5 |