CISA has newly issued an ICS (Industrial Control Systems) advisory for a ThroughTek device P2P vulnerability that could allow malicious entities unauthorized access to audio and video feeds.

Finding the ThroughTek P2P critical vulnerability :

To the unaware, ThroughTek Co is a software company that provides turnkey IoT & M2M solutions for surveillance, security systems, smart homes, personal cloud storage, and consumer electronics.

Surveillance camera and smart device dealers extensively implement ThroughTek software components that get incorporated into millions of connected devices ranging from IP cameras to baby and pet monitoring cameras as well as robotic and battery devices. It is also an essential component of the supply chain for multiple original equipment manufacturers of consumer-grade security cameras and IoT devices.

Detailing the vulnerability that CISA has issued an ICS advisory for, it was discovered by security organization Nozomi Network in the ThroughTek P2P SDK. 

Here,  P2P refers to functionality that allows a user on a mobile or desktop app to access audio/video streams from a camera or device through the internet.

Also read,

Assessing the bug:

It was found that the vulnerability, scoring a critical severity rating of 9.1 of 10 on the CVSS scale, could not only allow threat actors to get the feed access but also has the potential to hijack a compromised device’s certificate. It has also been characterized as a vulnerability that can be remotely exploited and not complex to attack.

According to the CISA advisory, the vulnerability is persistent in versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS or uses the P2PTunnel or RDT module.

“ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds,” CISA implied in the security advisory. 

In their defense, ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering. It said that version 3.3 was introduced back in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.

ThroughTek notes that any original equipment makers running SDK 3.1.10 and above should enable Authkey and DTLS. If SDK is below 3.1.10, the library needs to be upgraded to or, and the Authkey/DTLS needs to be enabled. 

CISA has mentioned that users should particularly mitigate their risks by curbing network exposure for all control system devices and ensuring none are accessible from the internet.