Critical supply chain flaw exposes IoT cameras to cyber attack

Hackers can exploit the vulnerability in ThroughTek's P2P SDK to spy on video feeds and steal data

A key supplier for Internet of Things (IoT) devices has sustained a severe vulnerability in its software development kits (SDKs) that has exposed swathes of industrial hardware to cyber attack.

The vulnerability lies in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet. It’s used by multiple camera vendors and is deployed in many CCTV systems, as well as other IoT devices such as baby and pet monitoring cameras.

Hackers can exploit the flaw, which is rated 9.1 out of ten on the CVSS threat severity scale, to access media feeds as well as gain sensitive data. Alongside obtaining data, the vulnerability also lets attackers spoof devices and hijack their certificates.  

Researchers with Nozomi Networks discovered the flaw, and reported it to the company in line with its disclosure policy. The severity of the vulnerability has also forced the US Cyber security & Infrastructure Agency (CISA) to issue an alert warning businesses that their systems may be vulnerable.

“Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol,” Nozomi said in a blog post. “In our experience, the best and only way to get this information is to look directly at the client/server implementation. Unfortunately, most buyers do not have the skills or inclination to do this.

“Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality. We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure.”

Nozomi researchers first discovered the flaw when analysing the network traffic for a network video recorder with P2P functionality. They shortly identified the technical nature of the vulnerability and developed a proof-of-concept script to exploit it. The flaw affects versions 3.1.5 and prior of the P2P SDK.

ThroughTek confirmed it recently discovered that some of its customers had incorrectly implemented its SDK, or have disregarded SDK version updates. The flaw, which ThroughTek describes as being within the P2P library TUTK, has been addressed with version 3.3 and onwards of the SDK, which was released in mid-2020.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

“We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” the company said in a statement

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.”

There are no reports of active exploitations yet, although the fact CISA has been moved to issue an alert, combined with the 9.3 CVSS threat severity score, suggests exploitation is likely on systems that haven’t been updated. 

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021