"IoT Supply Chain Bug Hits Millions of Cameras"

Security experts from Nozomi Networks have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams. Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices. CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet. Nozomi Networks claimed that the protocol used for transmission of those data streams lacks a secure key exchange, and it relies instead on an obfuscation scheme based on a fixed key. This means that unauthorized attackers could access it to reconstruct the audio/video stream, effectively enabling them to snoop on users remotely. The bug could also lead to unauthorized eavesdropping on camera video and audio, device spoofing, and device certificate hijacking. ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering. ThroughTex stated that version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

Infosecurity reports: "IoT Supply Chain Bug Hits Millions of Cameras"