IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Critical supply chain flaw exposes IoT cameras to cyber attack

Hackers can exploit the vulnerability in ThroughTek's P2P SDK to spy on video feeds and steal data

A key supplier for Internet of Things (IoT) devices has sustained a severe vulnerability in its software development kits (SDKs) that has exposed swathes of industrial hardware to cyber attack.

The vulnerability lies in ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet. It’s used by multiple camera vendors and is deployed in many CCTV systems, as well as other IoT devices such as baby and pet monitoring cameras.

Hackers can exploit the flaw, which is rated 9.1 out of ten on the CVSS threat severity scale, to access media feeds as well as gain sensitive data. Alongside obtaining data, the vulnerability also lets attackers spoof devices and hijack their certificates.  

Researchers with Nozomi Networks discovered the flaw, and reported it to the company in line with its disclosure policy. The severity of the vulnerability has also forced the US Cyber security & Infrastructure Agency (CISA) to issue an alert warning businesses that their systems may be vulnerable.

“Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol,” Nozomi said in a blog post. “In our experience, the best and only way to get this information is to look directly at the client/server implementation. Unfortunately, most buyers do not have the skills or inclination to do this.

“Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality. We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure.”

Nozomi researchers first discovered the flaw when analysing the network traffic for a network video recorder with P2P functionality. They shortly identified the technical nature of the vulnerability and developed a proof-of-concept script to exploit it. The flaw affects versions 3.1.5 and prior of the P2P SDK.

ThroughTek confirmed it recently discovered that some of its customers had incorrectly implemented its SDK, or have disregarded SDK version updates. The flaw, which ThroughTek describes as being within the P2P library TUTK, has been addressed with version 3.3 and onwards of the SDK, which was released in mid-2020.

Related Resource

A guide to enterprise detection and response providers

The 12 providers that matter most and how they stack up

Forrester enterprise detection WPDownload now

“We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” the company said in a statement

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.”

There are no reports of active exploitations yet, although the fact CISA has been moved to issue an alert, combined with the 9.3 CVSS threat severity score, suggests exploitation is likely on systems that haven’t been updated. 

Featured Resources

The state of Salesforce: Future of business

Three articles that look forward into the changing state of Salesforce and the future of business

Free Download

The mighty struggle to migrate SAP to the cloud may be over

A simplified and unified approach to delivering Enterprise Transformation in the cloud

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

The Total Economic Impact™ Of IBM FlashSystem

Cost savings and business benefits enabled by FlashSystem

Free Download

Most Popular

Why convenience is the biggest threat to your security

Why convenience is the biggest threat to your security

8 Aug 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

29 Jul 2022
Cyber attack on software supplier causes "major outage" across the NHS
cyber attacks

Cyber attack on software supplier causes "major outage" across the NHS

8 Aug 2022