A supply-chain component contains a critical impact vulnerability that allows a remote attacker to eavesdrop on IoT camera feeds. CVE-2021-32934 has a CVSS score of 9.1, it was introduced through ThroughTek, a component that is commonplace in CCTV systems along with other connected camera devices such as baby monitors.
ThroughTek’s point-to-point (P2P) software development kit (SDK) is installed on millions of connected devices and is used to provide remote access to audio and video streams.
Local devices communicate with offsite p2p servers through a software client, in the form of a mobile or desktop application. It is here that researchers from Nozomi found an insecure cryptographic key exchange relying on security through obscurity to hide a fixed key.
This makes it easier for an attacker to intercept packets, dissect the key and reconstruct audio and video streams.
For enterprises and critical infrastructure operators, sensitive business data, employee information, trade secrets and building layouts useful for physical attacks can be disclosed unwittingly to an attacker. For home users, a breach of privacy is their top concern.
Whilst patches have been released for SDK components, end-users will be forced to rely on the camera and IoT manufacturers to install the updates server-side – ThroughTek’s vendor partners are not public.
Affected versions of ThroughTek include:
- All versions below 3.1.10
- SDK versions with nossl tag
- Device firmware that does not use AuthKey for IOTC connection
- Device firmware that uses AVAPI module without enabling DTLS mechanism
- Device firmware that uses P2PTunnel or RDT module
The following remediation must be applied as soon as possible:
- If SDK is 3.1.10 and above, enable Authkey and DTLS
- If SDK is below 3.1.10, upgrade the library to 220.127.116.11 or 18.104.22.168 and enable Authkey/DTLS