Critical supply chain flaw exposes IoT cameras to cyber attack

Hackers can exploit the vulnerability in ThroughTek's P2P SDK to spy on video feeds and steal data

A key supplier for Internet of Things (IoT) devices has sustained a severe vulnerability in its software development kits (SDKs) that has exposed swathes of industrial hardware to cyber attack.

The vulnerability lies in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet. It’s used by multiple camera vendors and is deployed in many CCTV systems, as well as other IoT devices such as baby and pet monitoring cameras.

Hackers can exploit the flaw, which is rated 9.1 out of ten on the CVSS threat severity scale, to access media feeds as well as gain sensitive data. Alongside obtaining data, the vulnerability also lets attackers spoof devices and hijack their certificates.  

Researchers with Nozomi Networks discovered the flaw, and reported it to the company in line with its disclosure policy. The severity of the vulnerability has also forced the US Cyber security & Infrastructure Agency (CISA) to issue an alert warning businesses that their systems may be vulnerable.

“Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol,” Nozomi said in a blog post. “In our experience, the best and only way to get this information is to look directly at the client/server implementation. Unfortunately, most buyers do not have the skills or inclination to do this.

“Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality. We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure.”

Nozomi researchers first discovered the flaw when analysing the network traffic for a network video recorder with P2P functionality. They shortly identified the technical nature of the vulnerability and developed a proof-of-concept script to exploit it. The flaw affects versions 3.1.5 and prior of the P2P SDK.

ThroughTek confirmed it recently discovered that some of its customers had incorrectly implemented its SDK, or have disregarded SDK version updates. The flaw, which ThroughTek describes as being within the P2P library TUTK, has been addressed with version 3.3 and onwards of the SDK, which was released in mid-2020.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

“We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” the company said in a statement

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.”

There are no reports of active exploitations yet, although the fact CISA has been moved to issue an alert, combined with the 9.3 CVSS threat severity score, suggests exploitation is likely on systems that haven’t been updated. 

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Openreach offers £20,000 reward for information on stolen copper cables
broadband

Openreach offers £20,000 reward for information on stolen copper cables

21 Jan 2022