1. News
June 16, 2021

ThroughTek vulnerability lets attackers access security camera video feeds

By Robert Scammell

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that a vulnerability in ThroughTek software used in connected devices, including baby monitoring cameras, could give attackers access to camera video and audio feeds.

ThroughTek’s software development kits (SDKs) are used by original equipment manufacturers in millions of consumer security cameras worldwide, along with internet of things (IoT) devices. These range from pet monitoring cameras to those used in industrial settings.

Devices running the vulnerable SDKs are also used by businesses, giving attackers access to employee, production, customer and other sensitive data. A successful exploit could also allow attackers to spoof devices and hijack device certificates

The vulnerability’s low attack complexity and the ability to exploit it remotely earned it a Common Vulnerability Scoring System (CVSS) score of 9.1 out of 10.

The vulnerability, named CVE-2021-32934, affects all SDK versions up to and including version 3.1.5.

Security firm Zozomi Networks discovered the ThroughTek vulnerability and reported it to CISA. Zozomi advises industrial and critical infrastructure users to only enable P2P – a functionality for accessing audio and video streams via the internet – in “rare situations”.

Specifically, P2P should only be enabled when “the device vendor can provide a thorough technical explanation of why the algorithms used in their products are secure”.

CISA and ThroughTek have provided two mitigations for security teams and manufacturers to implement. If the SDK version is 3.1.10 and above, original equipment manufacturers should enable authkey and DTLS.

If SDK is any version prior to 3.1.10, ThroughTek advises upgrading the library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.

In a statement, Taiwan-headquartered ThroughTek said: “This vulnerability has been addressed in SDK version 3.3 and onwards, which was released at mid-2020. We strongly suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems.

“On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats.”

Poor cybersecurity in internet-connected cameras is a fairly common occurrence. In November 2020, security researchers discovered “high-risk security issues” in 11 smart doorbells available to purchase through Amazon and eBay.