A security advisory published on Tuesday by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warns ThroughTek software users of a supply-chain vulnerability that, if exploited, may allow threat actors to gain unauthorized access to audio and video streams.
Tracked as CVE-2021-32934, the flaw has a 9.1 CVSS score which makes it a critical vulnerability. According to the report, the flaw affects ThroughTek P2P products version 3.1.5 and before, as well as SDK versions with the nossl tag. The root of the vulnerability is in the insufficient protection during data transfer between the ThroughTek’s servers and the local device.
Researchers are noting that a vulnerability like this, if exploited by malicious actors, may potentially grant them with access to sensitive information, such as audio and video streams.
Many IoT devices that rely on data transmission over the internet, such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors, use the Point-to-Point (P2P) SDK of ThroughTek to provide remote access to their video and audio content via the internet.
The critical vulnerability was found in March 2021, and it was duly reported by Nozomi Networks. Users who are using devices that are vulnerable may be exposed to high risk of company, production, and personal data exploitation and leaks.
In order to demonstrate how critical the detected vulnerability is, the researchers developed a PoC (proof-of-concept) attack in which they managed to access packets of data while they were being transferred across the network.
In relation to CISA’s security advisory, ThroughTek recommends to original equipment manufacturers and partners that are using SDK version 3.1.10 and above to enable AuthKey and DTLS to increase their security. Users who are using SDK version older than 3.1.10. are advised to immediately upgrade to version 18.104.22.168 or v22.214.171.124 and also to enable AuthKey and DTLS in order to stay safe.
Since the detected flaw is related to a software component that is embedded in many consumer-grade Internet of Things devices and security cameras, a potential exploitation could lead to very serious consequences, as it may allow malicious actors to easily view personal audio and video streams or leak them online.