The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek’s software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams.
“Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds,” CISA said in the alert.
ThroughTek’s point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.
Tracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between the local device and ThroughTek’s servers.
The flaw was reported by Nozomi Networks in March 2021, which noted that the use of vulnerable security cameras could leave critical infrastructure operators at risk by exposing sensitive business, production, and employee information.
“The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key,” the San Francisco-headquartered IoT security firm said. “Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.”
To demonstrate the vulnerability, the researchers created a proof-of-concept (PoC) exploit that deobfuscates on-the-fly packets from the network traffic.
ThroughTek recommends original equipment manufacturers (OEMs) using SDK 3.1.10 and above to enable AuthKey and DTLS, and those relying on an SDK version prior to 3.1.10 to upgrade the library to version 22.214.171.124 or v126.96.36.199 and enable AuthKey/DTLS.
Since the flaw affects a software component that’s part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices, the fallout from such exploitation could effectively breach the security of the devices, enabling the attacker to access and view confidential audio or video streams.
“Because ThroughTek’s P2P library has been integrated by multiple vendors into many different devices over the years, it’s virtually impossible for a third-party to track the affected products,” the researchers said.