Critical supply chain flaw exposes IoT cameras to cyber attack

A key supplier for Internet of Things (IoT) devices has sustained a severe vulnerability in its software development kits (SDKs) that has exposed swathes of industrial hardware to cyber attack.

The vulnerability lies in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet. It’s used by multiple camera vendors and is deployed in many CCTV systems, as well as other IoT devices such as baby and pet monitoring cameras.

Hackers can exploit the flaw, which is rated 9.1 out of ten on the CVSS threat severity scale, to access media feeds as well as gain sensitive data. Alongside obtaining data, the vulnerability also lets attackers spoof devices and hijack their certificates.

Researchers with Nozomi Networks discovered the flaw, and reported it to the company in line with its disclosure policy. The severity of the vulnerability has also forced the US Cyber security & Infrastructure Agency (CISA) to issue an alert warning businesses that their systems may be vulnerable.

“Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol,” Nozomi said in a blog post. “In our experience, the best and only way to get this information is to look directly at the client/server implementation. Unfortunately, most buyers do not have the skills or inclination to do this.

“Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality. We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure.”

Nozomi researchers first discovered the flaw when analysing the network traffic for a network video recorder with P2P functionality. They shortly identified the technical nature of the vulnerability and developed a proof-of-concept script to exploit it. The flaw affects versions 3.1.5 and prior of the P2P SDK.

ThroughTek confirmed it recently discovered that some of its customers had incorrectly implemented its SDK, or have disregarded SDK version updates. The flaw, which ThroughTek describes as being within the P2P library TUTK, has been addressed with version 3.3 and onwards of the SDK, which was released in mid-2020.

“We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” the company said in a statement.

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.”

There are no reports of active exploitations yet, although the fact CISA has been moved to issue an alert, combined with the 9.3 CVSS threat severity score, suggests exploitation is likely on systems that haven’t been updated.