The Cybersecurity and Infrastructure Security Agency (CISA) has released a new ICS advisory about a vulnerability that gives attackers access to audio and video feeds from connected cams. CISA rated the vulnerability 9.1 out of 10.
The vulnerability was discovered in ThroughTek, which is a widely-used tool for creating video and audio feeds in security cameras for industrial control systems.
Besides the data and video leakage, the company confirmed the flaw could allow attackers to modify a device’s certificate.
ThroughTek’s software components are used by security camera and smart device manufacturers to integrate their products into millions of connected devices ranging from IP cameras to baby and pet monitoring cameras to robotic devices. It is also an integral component of the supply chain for the various original equipment manufacturers of security cameras and Internet of Things devices.
It was Nozomi Networks Labs that first reported the flaw. It is found in ThroughTek’s P2P SDK and notified the company. Later, CISA released its own statement saying the vulnerability could allow an attacker to remotely execute code and was not complex to exploit.
The issue has been reported in versions 3.1.5 and prior, SDK versions with nossl tag, device firmware that does not use AuthKey for IOTC connection, and device firmware using the AVAPI module without enabling DTLS mechanism and P2PTunnel or RDT module.
CISA’s release noted that ThroughTek’s P2P servers do not sufficiently protect the data that they collect from local devices. “ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds,” CISA said in the release.
ThroughTek said they “discovered” that some of their customers were implementing the company’s SDK “incorrectly” or did not update their SDKs. They noted that the vulnerability was still a problem for versions 3.1.5 and up.
ThroughTek apologized for the issues and said they were working with their customers to fix the issue. Any original equipment manufacturers that are running SDK 3.1.10 should enable Authkey and DTLS.
The agency also noted that users should minimize their risks when it comes to controlling their devices by ensuring none are accessible from the internet. Administrators should also keep their devices and networks isolated from the business network.
P2P component flaw is one of the biggest threats to IoT devices. In 2019, more than 2 million devices were affected by this issue in iLnkP2P products.