CISA has released a new ICS advisory about a vulnerability found in a widely-used ThroughTek tool that gives attackers access to audio and video feeds as well as other sensitive information.
On top of the potential for data and video leakage, the company admitted that the vulnerability allows attackers to not just spoof a device but hijack a device’s certificate. CISA gave the vulnerability a score of 9.1 out of 10 on the CVSS vulnerability severity scale.
ThroughTek software components are used broadly by security camera and smart device vendors. Their tools are incorporated into millions of connected devices ranging from IP cameras to baby and pet monitoring cameras as well as robotic and battery devices. It is also an integral part of the supply chain for multiple original equipment manufacturers of consumer-grade security cameras and IoT devices.
Security company Nozomi Networks Labs discovered the vulnerability in ThroughTek’s P2P SDK and sent a notice about it to ThroughTek. The notice prompted CISA to release its own statement saying the vulnerability was remotely exploitable and was not complex to attack. The P2P functionality allows users to look at audio and video streams through the internet.
The vulnerability is present in versions 3.1.5 and prior, SDK versions with nossl tag, device firmware that does not use AuthKey for IOTC connection, device firmware using the AVAPI module without enabling DTLS mechanism, and device firmware using P2PTunnel or RDT module.
“ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds,” CISA said in the release.
In a statement, ThroughTek said they “discovered” that some of their customers were implementing the company’s SDK “incorrectly” or had “disregarded” their SDK version updates. They noted that the vulnerability was addressed in SDK version 3.3 and onwards in 2020 but was still a problem for anything up to and including version 3.1.5.
ThroughTek said any original equipment manufacturers running SDK 3.1.10 and above should enable Authkey and DTLS. If SDK is below 3.1.10, the library needs to be upgraded to 3.3.1.0 or 3.4.2.0 and the Authkey/DTLS needs to be enabled.
CISA added that generally, users should minimize their risks by reducing network exposure for all control system devices and ensuring none are accessible from the internet.
IT administrators should locate control system networks and remote devices behind firewalls, and isolate them from the business network, according to CISA.
P2P component flaws have long been cited as one of the gravest risks to the use of IoT devices. In 2019, a vulnerability with iLnkP2P left more than two million IoT devices at risk of compromise.