A new CISA advisory warns about a critical software supply-chain vulnerability affecting ThroughTek’s SDK (software development kit). The flaw, identified as CVE-2021-32934 could be abused to gain improper access to audio and video streams. Other compromise scenarios include spoofing vulnerable devices and hijacking their certificates.
ThroughTek Critical Vulnerability CVE-2021-32934
“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds,” CISA’s advisory says.
The issue stems from the fact that ThroughTek’s P2P products don’t protect data transferred between the local device and the company’s servers. The lack of protection could allow hackers to access sensitive information, including camera feeds. Due to immense risk stemming from the flaw, it has been rated with a CVSS score of 9.1, or critical.
Affected SDK version and firmware include all versions below 3.1.10; SDK versions with nossl tag; device firmware that doesn’t use AuthKey for IOTC connection; firmware that utilizes AVAPI module without enabling the DTLS mechanism, and firmware using P2PTunnel or RTD module.
It is noteworthy that successful exploitation of the CVE-2021-32934 vulnerability requires sophisticated knowledge of network security, network sniffer tools, and encryption algorithms.
Mitigations against CVE-2021-32934
ThroughTek has recommended two mitigation methods. Original equipment manufacturers should deploy the following mitigations:
- If SDK is Version 3.1.10 and above, enable authkey and DTLS.
- If SDK is any version prior to 3.1.10, upgrade library to v22.214.171.124 or v126.96.36.199 and enable authkey/DTLS.
“This vulnerability has been addressed in SDK version 3.3 and onwards, which was released at mid-2020. We STRONGLY suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems,” ThroughTek’s own advisory says.
The company also encourages its customers to continue monitoring the future SDK releases in response to new security threats.
Last year, millions of CCTV cameras and other IoT devices were found to be vulnerable to hacking attacks using several security bugs, including the one tracked in the CVE-2019-11219 advisory. A large majority of these devices are controlled by the CamHi application, and are overwhelmingly used across Europe and the UK.