Critical supply chain flaw exposes IoT cameras to cyber attack

Hackers can exploit the vulnerability in ThroughTek's P2P SDK to spy on video feeds and steal data

A key supplier for Internet of Things (IoT) devices has sustained a severe vulnerability in its software development kits (SDKs) that has exposed swathes of industrial hardware to cyber attack.

The vulnerability lies in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet. It’s used by multiple camera vendors and is deployed in many CCTV systems, as well as other IoT devices such as baby and pet monitoring cameras.

Hackers can exploit the flaw, which is rated 9.1 out of ten on the CVSS threat severity scale, to access media feeds as well as gain sensitive data. Alongside obtaining data, the vulnerability also lets attackers spoof devices and hijack their certificates.  

Researchers with Nozomi Networks discovered the flaw, and reported it to the company in line with its disclosure policy. The severity of the vulnerability has also forced the US Cyber security & Infrastructure Agency (CISA) to issue an alert warning businesses that their systems may be vulnerable.

“Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol,” Nozomi said in a blog post. “In our experience, the best and only way to get this information is to look directly at the client/server implementation. Unfortunately, most buyers do not have the skills or inclination to do this.

“Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality. We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure.”

Nozomi researchers first discovered the flaw when analysing the network traffic for a network video recorder with P2P functionality. They shortly identified the technical nature of the vulnerability and developed a proof-of-concept script to exploit it. The flaw affects versions 3.1.5 and prior of the P2P SDK.

ThroughTek confirmed it recently discovered that some of its customers had incorrectly implemented its SDK, or have disregarded SDK version updates. The flaw, which ThroughTek describes as being within the P2P library TUTK, has been addressed with version 3.3 and onwards of the SDK, which was released in mid-2020.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

“We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” the company said in a statement

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.”

There are no reports of active exploitations yet, although the fact CISA has been moved to issue an alert, combined with the 9.3 CVSS threat severity score, suggests exploitation is likely on systems that haven’t been updated. 

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now


Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Dell XPS 15 (2021) review: The best just got better

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022