A supply-chain component lays open camera feeds to remote attackers thanks to a critical security vulnerability.

Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA).

The bug (CVE-2021-32934, with a CVSS v3 base score of 9.1) has been introduced via a supply-chain component from ThroughTek that’s used by several original equipment manufacturers (OEMs) of security cameras – along with makers of IoT devices like baby- and pet-monitoring cameras, and robotic and battery devices.

, Millions of Connected Cameras Open to Eavesdropping, The Cyber Post

The potential issues stemming from unauthorized viewing of feeds from these devices are myriad: For critical infrastructure operators and enterprises, video-feed interceptions could reveal sensitive business data, production/competitive secrets, information on floorplans for use in physical attacks, and employee information. And for home users, the privacy implications are obvious.

In its alert, issued Tuesday, CISA said that so far, no known public exploits are targeting the bug in the wild yet.

Vulnerable P2P SDK

The ThroughTek component at issue is its peer-to-peer (P2P) software development kit (SDK), which has been installed in several million connected devices, according to the supplier. It’s used to provide remote access to audio and video streams over the internet.

Nozomi Networks, which discovered the bug, noted that the way P2P works is based on three architectural aspects:

  • A network video recorder (NVR), which is connected to security cameras and represents the local P2P server that generates the audio/video stream.
  • An offsite P2P server, managed by the camera vendor or P2P SDK vendor. This server acts as a middleman, allowing the client and NVR to establish a connection to each other.
  • A software client, either a mobile or a desktop application, that accesses the audio/video stream from the internet.

“A peculiarity of P2P SDKs…is that OEMs are not just licensing a P2P software library,” analysts at Nozomi Networks pointed out, in a Tuesday posting. “They also receive infrastructure services (the offsite P2P server) for authenticating clients and servers and handling the audio/video stream.”

In analyzing the specific client implementation for ThroughTek’s P2P platform and the network traffic generated by a Windows client connecting to the NVR through P2P, Nozomi researchers found that the data transferred between the local device and ThroughTek servers lacked a secure key exchange, relying instead on an obfuscation scheme based on a fixed key.

“After setting a few breakpoints in the right spots, we managed to identify interesting code where the network’s packet payload is de-obfuscated,” according to Nozomi’s writeup. “Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.”

Nozomi was able to create a proof-of-concept script that de-obfuscates on-the-fly packets from network traffic, it said, but no further technical details were given. Notably, ThroughTek’s advisory also listed device-spoofing and device-certificate hijacking as other potential risks from any exploitation of the bug. The supplier has patched the issue in the latest version of the firmware.

Affected Versions and Remedies:

  • All versions below 3.1.10
  • SDK versions with nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware that uses AVAPI module without enabling DTLS mechanism
  • Device firmware that uses P2PTunnel or RDT module

Actions to Take:

  • If SDK is 3.1.10 and above, enable Authkey and DTLS
  • If SDK is below 3.1.10, upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS

Unfortunately, end users will be forced to rely on camera and IoT manufacturers to install the updates – ThroughTek’s vendor partners are not public.

“Because ThroughTek’s P2P library has been integrated by multiple vendors into many different devices over the years, it’s virtually impossible for a third party to track the affected products,” Nozomi researchers said.

IoT camera bugs are hardly rare: Last month, for instance, owners of Eufy home-security cameras were warned of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds. Customers were also suddenly given access to do the same to other users.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free!