IoT Supply Chain Bug Hits Millions of Cameras

Security experts have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams.

Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices.

The bug itself is found in a P2P SDK produced by the firm. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet.

Nozomi Networks claimed that the protocol used for transmission of those data streams “lacks a secure key exchange and relies instead it on an obfuscation scheme based on a fixed key.”

This means that unauthorized attackers could access it to reconstruct the audio/video stream — effectively enabling them to snoop on users remotely.

CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module.

ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering.

It said version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

It also revealed that the bug could lead to unauthorized eavesdropping on camera video and audio and device spoofing and device certificate hijacking.

The case highlights the challenges facing users of IoT and other devices, which have complex supply chains using components from third parties.

Last year, several zero-day vulnerabilities were discovered in a widely used low-level TCP/IP software library that may have impacted hundreds of millions of IoT devices.

In April this year, researchers found multiple flaws dubbed “Name:Wreck” in popular IT software FreeBSD and various IoT/OT firmware types, which they claimed could be present in over 100 million devices.

What’s Hot on Infosecurity Magazine?