Millions of Connected Cameras Open to Eavesdropping

by | Jun 17, 2021

cameras eavesdropping vulnerability

Post Views: 1,093

Reading Time: 1 Minute

 

Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA).

 

 

The bug (CVE-2021-32934, with a CVSS v3 base score of 9.1) has been introduced via a supply-chain component from ThroughTek that’s used by several original equipment manufacturers (OEMs) of security cameras – along with makers of IoT devices like baby- and pet-monitoring cameras, and robotic and battery devices.

The potential issues stemming from unauthorized viewing of feeds from these devices are myriad: For critical infrastructure operators and enterprises, video-feed interceptions could reveal sensitive business data, production/competitive secrets, information on floorplans for use in physical attacks, and employee information. And for home users, the privacy implications are obvious.

In its alert, issued Tuesday, CISA said that so far, no known public exploits are targeting the bug in the wild yet.

 

See Also: RockYou2021: largest password compilation of all time leaked online – 8.4 billion entries

 

 

Vulnerable P2P SDK

 

The ThroughTek component at issue is its peer-to-peer (P2P) software development kit (SDK), which has been installed in several million connected devices, according to the supplier. It’s used to provide remote access to audio and video streams over the internet.

Nozomi Networks, which discovered the bug, noted that the way P2P works is based on three architectural aspects:

  • A network video recorder (NVR), which is connected to security cameras and represents the local P2P server that generates the audio/video stream.
  • An offsite P2P server, managed by the camera vendor or P2P SDK vendor. This server acts as a middleman, allowing the client and NVR to establish a connection to each other.
  • A software client, either a mobile or a desktop application, that accesses the audio/video stream from the internet.

“A peculiarity of P2P SDKs…is that OEMs are not just licensing a P2P software library,” analysts at Nozomi Networks pointed out, in a Tuesday posting. “They also receive infrastructure services (the offsite P2P server) for authenticating clients and servers and handling the audio/video stream.”

In analyzing the specific client implementation for ThroughTek’s P2P platform and the network traffic generated by a Windows client connecting to the NVR through P2P, Nozomi researchers found that the data transferred between the local device and ThroughTek servers lacked a secure key exchange, relying instead on an obfuscation scheme based on a fixed key.

“After setting a few breakpoints in the right spots, we managed to identify interesting code where the network’s packet payload is de-obfuscated,” according to Nozomi’s writeup. “Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.”

See Also: Offensive Security Tool: CloudFail

 

 

Nozomi was able to create a proof-of-concept script that de-obfuscates on-the-fly packets from network traffic, it said, but no further technical details were given. Notably, ThroughTek’s advisory also listed device-spoofing and device-certificate hijacking as other potential risks from any exploitation of the bug. The supplier has patched the issue in the latest version of the firmware.

 

Affected Versions and Remedies:

 

  • All versions below 3.1.10
  • SDK versions with nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware that uses AVAPI module without enabling DTLS mechanism
  • Device firmware that uses P2PTunnel or RDT module

 

Actions to Take:

 

  • If SDK is 3.1.10 and above, enable Authkey and DTLS
  • If SDK is below 3.1.10, upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS

Unfortunately, end users will be forced to rely on camera and IoT manufacturers to install the updates – ThroughTek’s vendor partners are not public.


See Also: Jeff Moss, aka Dark Tangent, the person who founded DEF CON and Black Hat

 

 

“Because ThroughTek’s P2P library has been integrated by multiple vendors into many different devices over the years, it’s virtually impossible for a third party to track the affected products,” Nozomi researchers said.

IoT camera bugs are hardly rare: Last month, for instance, owners of Eufy home-security cameras were warned of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds. Customers were also suddenly given access to do the same to other users.

 

 

Source: threatpost.com

 

 

(Click Link)

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This