ThroughTek security flaw leaves millions of cameras open for spying

Critical software vulnerability could enable threat actors to eavesdrop on people and companies or even obtain critical information

A critical software flaw could be exploited to spy on you

Cybersecurity and Infrastructure Security Agency (CISA) have recently warned that millions of surveillance and home security cameras have a severe software flaw that cybercriminals could misuse to gain unauthorized access to them. Remote attackers could tap into video and audio feeds.

The CVE-2021-32934 vulnerability was found in a supply-chain component developed by ThroughTek. Original equipment manufacturers (OEMs) producing security cameras and Internet of Things (IoT)^[1] gadgets (baby monitors, smart doorbell cams, home robots, etc.) use the company's software.

In the released ICS Advisory,^[2] CISA stated that there are no reports of this software vulnerability being exploited in the wild at the moment. But users of the abovementioned equipment should be aware of the security issue and mitigate it with recommended actions.

Baby monitors, home or work cameras can expose crucial details or sensitive data

The security flaw was discovered in the peer-to-peer (P2P) software development kit (SDK) of ThroughTek. The company has released a statement^[3] identifying that the vulnerability is active and exploitable in devices using these P2P SDK versions:

• SDK versions with nossl tag;
• All versions prior to 3.1.10;
• Device firmware that uses AVAPI module without enabling DTLS mechanism;
• Device firmware that does not use AuthKey for IOTC connection;
• and device firmware using P2PTunnel or RDT module.

The CVE-2021-32934 vulnerability exposes the lack of security in the P2P connection between the ThroughTek servers and the local device.^[4] As a result, an attacker could attack it and connect directly to a device. This could have various consequences depending on what the product is used for.

If it's a baby monitor, then apart from being very creepy, the criminal would probably search for a better target. If it's a home surveillance camera, threat actors could watch victims and record whatever they're doing or plan a physical attack as the floorplans and valuables would be observed, and they would know if homeowners are home or not.

If the device prone to eavesdropping is in a company, there are tons of possible outcomes. For example, by intercepting a video audio feed, the attackers could manage to attain sensitive business data, production secrets, employee information, and so on. Thus the vulnerability must be fixed ASAP.

Actions to avoid unwanted connections and spying

Unfortunately, end-users of products with severe security vulnerability can't mitigate it. They could only minimize network exposure for all control system devices, isolate control system networks and remote devices from business networks, and use Virtual Private Networks (VPNs) to enhance security when a remote connection is required.^[5]

ThroughTek has instructed all its customers to update the enable Authkey and DTLS in SDK versions 3.1.10 and above. If the SDK library's version is below 3.1.10, an upgrade to 3.3.1.0 or 3.4.2.0 is required and enablement of the same two functions.

The company tried to reassure users that the exploitation of their security vulnerability would require threat actors to have extensive knowledge of network sniffer tools, network security, and encryption algorithms. Still, home users should think twice before remotely connecting to their IoT devices and inspect such gadgets thoroughly before buying them.