The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.
The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.
It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.
Flaw Identified in ThroughTek’s P2P SDK
The flaw was discovered in ThroughTek’s software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.
The vulnerability (CVE-2021-28372) is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.
It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.
Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.
CISA Releases Security Alert
Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:
“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”
CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.
The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.
CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.
Vulnerability Proof of Concept
The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.