Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds that goes wild warns CISA.

The bug (CVE-2021-32934, with a CVSS v3 base score of 9.1) has been introduced via a supply-chain component from ThroughTek that’s used by several original equipment manufacturers (OEMs) of security cameras along with makers of IoT devices through which video feeds can be viewed paving way for potential attacks and privacy will be in a big question

P2P SDK

The ThroughTek component at issue is its P2P SDK installed in several million connected devices, It’s used to provide remote access to audio and video streams over the internet.

Nozomi Networks, which discovered the bug, noted that the way P2P works is based on three architectural aspects:

  • A network video recorder (NVR), which is connected to security cameras and represents the local P2P server that generates the audio/video stream.
  • An offsite P2P server, managed by the camera vendor or P2P SDK vendor. This server acts as a middleman, allowing the client and NVR to establish a connection to each other.
  • A software client, either a mobile or a desktop application, that accesses the audio/video stream from the internet.

Affected Versions and Remedies:

  • All versions below 3.1.10
  • SDK versions with nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware that uses AVAPI module without enabling DTLS mechanism
  • Device firmware that uses P2PTunnel or RDT module

Actions to Take:

  • If SDK is 3.1.10 and above, enable Authkey and DTLS
  • If SDK is below 3.1.10, upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS

IoT camera bugs are hardly rare: Last month, for instance, owners of Eufy home-security cameras warned of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds. Customers were also suddenly given access to do the same to other users.