CISA (Cybersecurity and Infrastructure Security Agency) has published a new advisory warning about a novel flaw in the ThroughTek P2P SDK versions 3.1.5 and older, which could permit unauthorized access to cleartext video and audio feeds through millions of affected cameras. The flaw in question is tracked as “CVE-2021-32934” and has a severity score of 9.1 in the CVSS v3 evaluation standard. It is also exploitable remotely, and it doesn’t require much complexity to do so.
According to the advisory, the following products are affected by the flaw:
The proposed mitigations are the following:
CISA also suggests that users should minimize network exposure for all control system devices and to locate control system networks and remote devices behind firewalls and isolate them from the business network. If remote access is required and there’s no other option, reliable VPNs should be deployed for secure access and also the encryption of the data that comes and goes.
ThroughTek has clarified that this issue has been addressed in SDK version 3.3 and onwards, which was released last summer. Even though a full year has passed since then, it appears there is still a noteworthy number of customers who have either ignored the new version or didn’t implement it correctly. These customers correspond to several millions of devices, so the impact of this flaw is pretty big.
As for who discovered the vulnerability, that would be researchers at ‘Nozomi Networks Labs.’ They discovered that the video and audio feed passed through ThroughTek’s P2P platform lacks a secure key exchange and relies instead on an obfuscation scheme based on a fixed key. They then created a proof-of-concept script that deobfuscates on-the-fly packets from the sniffed network traffic and disclosed the bug to ThroughTek in March 2021.