{"id": "THN:5AB9B799387DFCA06785A794771CA81C", "type": "thn", "bulletinFamily": "info", "title": "Critical ThroughTek Flaw Opens Millions of Connected Cameras to Eavesdropping", "description": "[](<https://thehackernews.com/images/-JvsQDm5-TtQ/YMmVOUVdraI/AAAAAAAAC4A/GMDTo5itByQFDvOVL4lxuR_A3Vo0S-XpgCLcBGAsYHQ/s0/ThroughTek.jpg>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued an advisory regarding a critical software supply-chain flaw impacting ThroughTek's software development kit (SDK) that could be abused by an adversary to gain improper access to audio and video streams.\n\n\"Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds,\" CISA [said](<https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01>) in the alert.\n\nThroughTek's point-to-point ([P2P](<https://www.throughtek.com/p2p-iot-connection/>)) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.\n\n[](<https://go.thn.li/1-300-4> \"Stack Overflow Teams\" )\n\nTracked as CVE-2021-32934 (CVSS score: 9.1), the shortcoming affects ThroughTek P2P products, versions 3.1.5 and before as well as SDK versions with nossl tag, and stems from a lack of sufficient protection when transferring data between the local device and ThroughTek's servers.\n\nThe flaw was reported by Nozomi Networks in March 2021, which noted that the use of vulnerable security cameras could leave critical infrastructure operators at risk by exposing sensitive business, production, and employee information.\n\n[](<https://thehackernews.com/images/-IWeuT7_NAfw/YMmgI3fC8yI/AAAAAAAAC4I/g1VSHkCzqOMIEbtEI_i1wE72xu9nBpNHwCLcBGAsYHQ/s0/ThroughTek-hack.jpg>)\n\n\"The [P2P] protocol used by ThroughTek lacks a secure key exchange [and] relies instead on an obfuscation scheme based on a fixed key,\" the San Francisco-headquartered IoT security firm [said](<https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/>). \"Since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.\"\n\nTo demonstrate the vulnerability, the researchers created a proof-of-concept (PoC) exploit that deobfuscates on-the-fly packets from the network traffic.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nThroughTek [recommends](<https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/>) original equipment manufacturers (OEMs) using SDK 3.1.10 and above to enable AuthKey and [DTLS](<https://en.wikipedia.org/wiki/Datagram_Transport_Layer_Security>), and those relying on an SDK version prior to 3.1.10 to upgrade the library to version 3.3.1.0 or v3.4.2.0 and enable AuthKey/DTLS.\n\nSince the flaw affects a software component that's part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices, the fallout from such an exploitation could effectively breach the security of the devices, enabling the attacker to access and view confidential audio or video streams.\n\n\"Because ThroughTek's P2P library has been integrated by multiple vendors into many different devices over the years, it's virtually impossible for a third-party to track the affected products,\" the researchers said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-06-16T07:00:00", "modified": "2021-06-17T03:28:29", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-06-17T04:35:45", "viewCount": 34, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2"]}, {"type": "ics", "idList": ["ICSA-21-166-01"]}, {"type": "threatpost", "idList": ["THREATPOST:93843DFDBB801D0DB8A088076564EE58"]}, {"type": "thn", "idList": ["THN:5F0BF3B286FABC4330F3CD1158E8A64C"]}], "modified": "2021-06-17T04:35:45", "rev": 2}, "score": {"value": 0.4, "vector": "NONE", "modified": "2021-06-17T04:35:45", "rev": 2}, "vulnersScore": 0.4}, "cvss2": {}, "cvss3": {}}

{"attackerkb": [{"id": "AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2", "hash": "5982940f0431e995b43ca7d157edea36", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-32934", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at June 16, 2021 10:40pm UTC reported:\n\nCritical software supply-chain flaw impacting ThroughTek\u2019s software development kit (SDK) that could be abused by threat actors to gain improper access to audio and video streams.\n\nSource: <https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01> \n<https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html>\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "published": "2021-05-13T00:00:00", "modified": "2021-05-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://attackerkb.com/topics/J3RxXHdZxD/cve-2021-32934", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934"], "cvelist": ["CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-07-20T20:09:27", "history": [{"bulletin": {"id": "AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2", "hash": "45ce6b8fb05c3f0fb7127f9f8359b934", "type": "attackerkb", "bulletinFamily": "info", "title": "CVE-2021-32934", "description": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.\n\n \n**Recent assessments:** \n \n**NinjaOperator** at June 16, 2021 10:40pm UTC reported:\n\nCritical software supply-chain flaw impacting ThroughTek\u2019s software development kit (SDK) that could be abused by threat actors to gain improper access to audio and video streams.\n\nSource: <https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01> \n<https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html>\n", "published": "2021-05-13T00:00:00", "modified": "2021-05-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://attackerkb.com/topics/J3RxXHdZxD/cve-2021-32934", "reporter": "AttackerKB", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934"], "cvelist": ["CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-06-17T00:16:26", "history": [], "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "ics", "idList": ["ICSA-21-166-01"]}, {"type": "threatpost", "idList": ["THREATPOST:93843DFDBB801D0DB8A088076564EE58"]}, {"type": "thn", "idList": ["THN:5AB9B799387DFCA06785A794771CA81C"]}], "modified": "2021-06-17T00:16:26", "rev": 2}, "score": {"value": 1.0, "vector": "NONE", "modified": "2021-06-17T00:16:26", "rev": 2}}, "objectVersion": "1.6", "attackerkb": {}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934"]}, "tags": [], "mitre_vector": {}, "last_activity": "2000-01-01T10:00:00"}, "lastseen": "2021-06-17T00:16:26", "differentElements": ["attackerkb", "description", "last_activity", "mitre_vector"], "edition": 1}], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "thn", "idList": ["THN:5F0BF3B286FABC4330F3CD1158E8A64C", "THN:5AB9B799387DFCA06785A794771CA81C"]}, {"type": "ics", "idList": ["ICSA-21-166-01"]}, {"type": "threatpost", "idList": ["THREATPOST:93843DFDBB801D0DB8A088076564EE58"]}], "modified": "2021-07-20T20:09:27", "rev": 2}, "score": {"value": 1.3, "vector": "NONE", "modified": "2021-07-20T20:09:27", "rev": 2}}, "objectVersion": "1.5", "attackerkb": {"attackerValue": 0, "exploitability": 0}, "wildExploited": false, "wildExploitedCategory": {}, "wildExploitedReports": [], "references_categories": {"Canonical": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934"]}, "tags": [], "mitre_vector": {"Initial Access": ["Supply Chain Compromise: Compromise Software Supply Chain(Validated)"]}, "last_activity": "2021-06-16T22:40:00", "_object_type": "robots.models.attackerkb.AttackerKB", "_object_types": ["robots.models.attackerkb.AttackerKB", "robots.models.base.Bulletin"], "cvss2": {}, "cvss3": {}}], "ics": [{"id": "ICSA-21-166-01", "hash": "36b720e0928c8fb6f107f7f912daa933", "type": "ics", "bulletinFamily": "info", "title": "ThroughTek P2P SDK", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.1**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor: **ThroughTek\n * **Equipment: **P2P SDK\n * **Vulnerability: **Cleartext Transmission of Sensitive Information\n\n## 2\\. RISK EVALUATION\n\nThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of P2P Software Development Kit (SDK) are affected:\n\n * Versions 3.1.5 and prior\n * SDK versions with nossl tag\n * Device firmware that does not use AuthKey for IOTC connection\n * Device firmware using the AVAPI module without enabling DTLS mechanism\n * Device firmware using P2PTunnel or RDT module\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319](<https://cwe.mitre.org/data/definitions/319.html>)\n\nThe affected ThroughTek P2P products do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds.\n\n[CVE-2021-32934](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32934>) has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Communications\n * **COUNTRIES/AREAS DEPLOYED: **Worldwide\n * **COMPANY HEADQUARTERS LOCATION: **Taiwan\n\n### 3.4 RESEARCHER\n\nNozomi Networks reported this vulnerability to CISA.\n\n## 4\\. MITIGATIONS\n\nThroughTek recommends original equipment manufacturers to implement the following mitigations:\n\n * If SDK is Version 3.1.10 and above, enable authkey and DTLS.\n * If SDK is any version prior to 3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.\n\nAdditional information can be found in [ThroughTek\u2019s advisory](<https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/>). \n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01>); we'd welcome your feedback.\n", "published": "2021-06-15T00:00:00", "modified": "2021-06-15T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.us-cert.gov/ics/advisories/icsa-21-166-01", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-166-01", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-166-01", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsa-21-166-01", "https://cwe.mitre.org/data/definitions/319.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-32934", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/", "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01", "https://us-cert.cisa.gov/ics/recommended-practices", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", "https://www.dhs.gov/privacy-policy", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01", "http://twitter.com/icscert", "https://www.dhs.gov", "https://www.dhs.gov/freedom-information-act-foia", "https://www.dhs.gov/homeland-security-no-fear-act-reporting", "https://www.dhs.gov/plain-writing-dhs", "https://www.dhs.gov/plug-information", "https://www.oig.dhs.gov/", "https://www.whitehouse.gov/", "https://www.usa.gov/", "https://www.dhs.gov/"], "cvelist": ["CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-06-15T15:50:27", "history": [], "viewCount": 27, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2"]}, {"type": "thn", "idList": ["THN:5F0BF3B286FABC4330F3CD1158E8A64C", "THN:5AB9B799387DFCA06785A794771CA81C"]}, {"type": "threatpost", "idList": ["THREATPOST:93843DFDBB801D0DB8A088076564EE58"]}], "modified": "2021-06-15T15:50:27", "rev": 2}, "score": {"value": -0.4, "vector": "NONE", "modified": "2021-06-15T15:50:27", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.ics.ICSBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.ics.ICSBulletin"], "cvss2": {}, "cvss3": {}}], "threatpost": [{"id": "THREATPOST:93843DFDBB801D0DB8A088076564EE58", "hash": "0d697a866130f016dd824d15b612a3cf", "type": "threatpost", "bulletinFamily": "info", "title": "Millions of Connected Cameras Open to Eavesdropping", "description": "Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency (CISA).\n\nThe bug ([CVE-2021-32934](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934>), with a CVSS v3 base score of 9.1) has been introduced via a supply-chain component from ThroughTek that\u2019s used by several original equipment manufacturers (OEMs) of security cameras \u2013 along with makers of IoT devices like baby- and pet-monitoring cameras, and robotic and battery devices.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe potential issues stemming from unauthorized viewing of feeds from these devices are myriad: For critical infrastructure operators and enterprises, video-feed interceptions could reveal sensitive business data, production/competitive secrets, information on floorplans for use in physical attacks, and employee information. And for home users, the privacy implications are obvious.\n\nIn its alert, [issued Tuesday](<https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01>), CISA said that so far, no known public exploits are targeting the bug in the wild yet.\n\n## **Vulnerable P2P SDK**\n\nThe ThroughTek component at issue is its peer-to-peer (P2P) software development kit (SDK), which has been installed in several million connected devices, [according to the supplier](<https://www.throughtek.com/about-us/>). It\u2019s used to provide remote access to audio and video streams over the internet.\n\nNozomi Networks, which discovered the bug, noted that the way P2P works is based on three architectural aspects:\n\n * A network video recorder (NVR), which is connected to security cameras and represents the local P2P server that generates the audio/video stream.\n * An offsite P2P server, managed by the camera vendor or P2P SDK vendor. This server acts as a middleman, allowing the client and NVR to establish a connection to each other.\n * A software client, either a mobile or a desktop application, that accesses the audio/video stream from the internet.\n\n\u201cA peculiarity of P2P SDKs\u2026is that OEMs are not just licensing a P2P software library,\u201d analysts at Nozomi Networks pointed out, in a Tuesday posting. \u201cThey also receive infrastructure services (the offsite P2P server) for authenticating clients and servers and handling the audio/video stream.\u201d\n\nIn analyzing the specific client implementation for ThroughTek\u2019s P2P platform and the network traffic generated by a Windows client connecting to the NVR through P2P, Nozomi researchers found that the data transferred between the local device and ThroughTek servers lacked a secure key exchange, relying instead on an obfuscation scheme based on a fixed key.\n\n\u201cAfter setting a few breakpoints in the right spots, we managed to identify interesting code where the network\u2019s packet payload is de-obfuscated,\u201d according to [Nozomi\u2019s writeup](<https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/>). \u201cSince this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream.\u201d\n\nNozomi was able to create a proof-of-concept script that de-obfuscates on-the-fly packets from network traffic, it said, but no further technical details were given. Notably, [ThroughTek\u2019s advisory](<https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/>) also listed device-spoofing and device-certificate hijacking as other potential risks from any exploitation of the bug. The supplier has patched the issue in the latest version of the firmware.\n\n### **Affected Versions and Remedies:**\n\n * All versions below 3.1.10\n * SDK versions with nossl tag\n * Device firmware that does not use AuthKey for IOTC connection\n * Device firmware that uses AVAPI module without enabling DTLS mechanism\n * Device firmware that uses P2PTunnel or RDT module\n\n### **Actions to Take:**\n\n * If SDK is 3.1.10 and above, enable Authkey and DTLS\n * If SDK is below 3.1.10, upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS\n\nUnfortunately, end users will be forced to rely on camera and IoT manufacturers to install the updates \u2013 ThroughTek\u2019s vendor partners are not public.\n\n\u201cBecause ThroughTek\u2019s P2P library has been integrated by multiple vendors into many different devices over the years, it\u2019s virtually impossible for a third party to track the affected products,\u201d Nozomi researchers said.\n\nIoT camera bugs are hardly rare: Last month, for instance, owners of Eufy home-security cameras [were warned](<https://threatpost.com/eufy-cam-private-feeds/166288/>) of an internal server bug that allowed strangers to view, pan and zoom in on their home-video feeds. Customers were also suddenly given access to do the same to other users.\n\n**Join Threatpost for \u201c****[Tips and Tactics for Better Threat Hunting](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)****\u201d \u2014 a LIVE event on ****[Wed., June 30 at 2:00 PM ET](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**** in partnership with Palo Alto Networks. Learn from Palo Alto\u2019s Unit 42 experts the best way to hunt down threats and how to use automation to help. ****[Register HERE](<https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar>)**** for free!**\n", "published": "2021-06-15T20:51:44", "modified": "2021-06-15T20:51:44", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://threatpost.com/millions-connected-cameras-eavesdropping/166950/", "reporter": "Tara Seals", "references": ["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-32934", "https://threatpost.com/newsletter-sign/", "https://us-cert.cisa.gov/ics/advisories/icsa-21-166-01", "https://www.throughtek.com/about-us/", "https://www.nozominetworks.com/blog/new-iot-security-risk-throughtek-p2p-supply-chain-vulnerability/", "https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/", "https://threatpost.com/eufy-cam-private-feeds/166288/", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar", "https://threatpost.com/webinars/tips-and-tactics-for-better-threat-hunting/?utm_source=ART&utm_medium=ART&utm_campaign=June_PaloAltoNetworks_Webinar"], "cvelist": ["CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-06-15T21:03:06", "history": [], "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2"]}, {"type": "thn", "idList": ["THN:5F0BF3B286FABC4330F3CD1158E8A64C", "THN:5AB9B799387DFCA06785A794771CA81C"]}, {"type": "ics", "idList": ["ICSA-21-166-01"]}, {"type": "threatpost", "idList": ["THREATPOST:5CFF7D07899B6CA2FDCBAC4BBE6C5B09"]}], "modified": "2021-06-15T21:03:06", "rev": 2}, "score": {"value": 0.1, "vector": "NONE", "modified": "2021-06-15T21:03:06", "rev": 2}}, "objectVersion": "1.5", "_object_type": "robots.models.threatpost.ThreatpostBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.threatpost.ThreatpostBulletin"], "cvss2": {}, "cvss3": {}}], "thn": [{"id": "THN:5F0BF3B286FABC4330F3CD1158E8A64C", "hash": "e6c0a521f5af371b271d4c759505a602", "type": "thn", "bulletinFamily": "info", "title": "Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhW_wGKVcHvR66Te1Gt50xWdTcmpv33kW9QyC7B30b7alaB4mDxx7wOYqjtIDiXTQXVHMg0J0boW6xa0AhlAbjmZyu9ODaLExvCqVHKaYqYaF5zrDaL7tLs76k229QwgKSDpns0IvNmABNsv1c5L6IsynltcKqRoM--ITPyiQRDy2PlbnRVLOMSXrIi>)\n\nA security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution.\n\nTracked as CVE-2021-28372 (CVSS score: 9.6) and [discovered](<https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html>) by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the \"ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality.\"\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\n\"Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [noted](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/17/cisa-releases-security-advisory-throughtek-kalay-p2p-sdk>) in an advisory.\n\nThere are believed to be 83 million active devices on the Kalay platform. The following versions of Kalay P2P SDK are impacted -\n\n * Versions 3.1.5 and prior\n * SDK versions with the nossl tag\n * Device firmware that does not use AuthKey for IOTC connection\n * Device firmware using the AVAPI module without enabling DTLS mechanism\n * Device firmware using P2PTunnel or RDT module\n\nThe Taiwanese company's Kalay platform is a [P2P technology](<https://www.throughtek.com/overview/>) that allows IP cameras, light cameras, baby monitors, and other internet-enabled video surveillance products to handle secure transmission of large audio and video files at low latency. This is made possible through the SDK \u2013 an implementation of the Kalay protocol \u2013 that's integrated into mobile and desktop apps and networked IoT devices.\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEjQFbfp_02H_Z7-RQNE_KE9PMCtR81Hml7S3Y_kzgKWaSUtvmJQ2HS4OngfZVdJ1GYLF2gbGXZUkVBWI2gqk1iWFklDMlpaPIwhs57cQmXDNjZrzVD8d2Dh2t0DpVJULUkNSjLiwaxaZyPkubSySTqlvUs8IykmjYkfYPWGUoNGTrirSDIkuV8Z7bkG>)\n\nCVE-2021-28372 resides in the registration process between the devices and their mobile applications, specifically concerning how they access and join the Kalay network, enabling attackers to spoof a victim device's identifier (called UID) to maliciously register a device on the network with the same UID, causing the registration servers to overwrite the existing device and route the connections to be mistakenly routed to the rogue device.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\n\"Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker,\" the researchers said. \"The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device. With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls.\"\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEj7E0kVXTdd7LPsGk5tbWLOfTlsWeLkPcDs9kRBdPDgHxWxBq-79G5iLwFTiXJVZKLdVEthv_lYVgjmPhCvM0wQ9A54fqrhHttUKxgLI_FupdDX_nunY8-LBLdJ71_w-YistcJjdec5-yLulrnXzf8Iw3WtXPLJd_yc2BXVcAQ6i5hBM16X_dv59oVa>)\n\nHowever, it's worth pointing out that an adversary would require \"comprehensive knowledge\" of the Kalay protocol, not to mention obtain the Kalay UIDs through social engineering or other vulnerabilities in APIs or services that could be taken advantage of to pull off the attacks.\n\nTo mitigate against any potential exploitation, it's recommended to upgrade the Kalay protocol to version 3.1.10 as well as enable DTLS and AuthKey to secure data in transit and add an additional layer of authentication during client connection.\n\nThe development marks the second time a similar vulnerability has been disclosed in ThroughTek's P2P SDK. In June 2021, CISA issued an alert warning of a critical flaw ([CVE-2021-32934](<https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html>)) that could be leveraged to access the camera audio and video feeds through improper means.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-18T15:48:00", "modified": "2021-08-20T15:21:50", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cvss2": {}, "cvss3": {}, "href": "https://thehackernews.com/2021/08/critical-throughtek-sdk-bug-could-let.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-28372", "CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-08-20T19:13:30", "history": [{"bulletin": {"id": "THN:5F0BF3B286FABC4330F3CD1158E8A64C", "hash": "55b900bf7020893b67f856f82b0d7a3a", "type": "thn", "bulletinFamily": "info", "title": "Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices", "description": "[](<https://blogger.googleusercontent.com/img/a/AVvXsEhW_wGKVcHvR66Te1Gt50xWdTcmpv33kW9QyC7B30b7alaB4mDxx7wOYqjtIDiXTQXVHMg0J0boW6xa0AhlAbjmZyu9ODaLExvCqVHKaYqYaF5zrDaL7tLs76k229QwgKSDpns0IvNmABNsv1c5L6IsynltcKqRoM--ITPyiQRDy2PlbnRVLOMSXrIi>)\n\nA security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution.\n\nTracked as CVE-2021-28372 (CVSS score: 9.6) and [discovered](<https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html>) by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the \"ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality.\"\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\n\"Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [noted](<https://us-cert.cisa.gov/ncas/current-activity/2021/08/17/cisa-releases-security-advisory-throughtek-kalay-p2p-sdk>) in an advisory.\n\nThere are believed to be 83 million active devices on the Kalay platform. The following versions of Kalay P2P SDK are impacted -\n\n * Versions 3.1.5 and prior\n * SDK versions with the nossl tag\n * Device firmware that does not use AuthKey for IOTC connection\n * Device firmware using the AVAPI module without enabling DTLS mechanism\n * Device firmware using P2PTunnel or RDT module\n\nThe Taiwanese company's Kalay platform is a [P2P technology](<https://www.throughtek.com/overview/>) that allows IP cameras, light cameras, baby monitors, and other internet-enabled video surveillance products to handle secure transmission of large audio and video files at low latency. This is made possible through the SDK \u2013 an implementation of the Kalay protocol \u2013 that's integrated into mobile and desktop apps and networked IoT devices.\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEjQFbfp_02H_Z7-RQNE_KE9PMCtR81Hml7S3Y_kzgKWaSUtvmJQ2HS4OngfZVdJ1GYLF2gbGXZUkVBWI2gqk1iWFklDMlpaPIwhs57cQmXDNjZrzVD8d2Dh2t0DpVJULUkNSjLiwaxaZyPkubSySTqlvUs8IykmjYkfYPWGUoNGTrirSDIkuV8Z7bkG>)\n\nCVE-2021-28372 resides in the registration process between the devices and their mobile applications, specifically how they access and join the Kalay network, enabling attackers to spoof a victim device's identifier (called UID) to maliciously register a device on the network with the same UID, causing the registration servers to overwrite the existing device and route the connections to be mistakenly routed to the rogue device.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\n\"Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker,\" the researchers said. \"The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device. With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls.\"\n\n[](<https://blogger.googleusercontent.com/img/a/AVvXsEj7E0kVXTdd7LPsGk5tbWLOfTlsWeLkPcDs9kRBdPDgHxWxBq-79G5iLwFTiXJVZKLdVEthv_lYVgjmPhCvM0wQ9A54fqrhHttUKxgLI_FupdDX_nunY8-LBLdJ71_w-YistcJjdec5-yLulrnXzf8Iw3WtXPLJd_yc2BXVcAQ6i5hBM16X_dv59oVa>)\n\nHowever, it's worth pointing out that an adversary would require \"comprehensive knowledge\" of the Kalay protocol, not to mention obtain the Kalay UIDs through social engineering or other vulnerabilities in APIs or services that could be taken advantage of to pull off the attacks.\n\nTo mitigate against any potential exploitation, it's recommended to upgrade the Kalay protocol to version 3.1.10 as well as enable DTLS and AuthKey to secure data in transit and add an additional layer of authentication during client connection.\n\nThe development marks the second time a similar vulnerability has been disclosed in ThroughTek's P2P SDK. In June 2021, CISA issued an alert warning of a critical flaw ([CVE-2021-32934](<https://thehackernews.com/2021/06/critical-throughtek-flaw-opens-millions.html>)) that could be leveraged to access camera audio and video feeds improperly.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "published": "2021-08-18T15:48:00", "modified": "2021-08-18T15:48:40", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://thehackernews.com/2021/08/critical-throughtek-sdk-bug-could-let.html", "reporter": "The Hacker News", "references": [], "cvelist": ["CVE-2021-28372", "CVE-2021-32934"], "immutableFields": [], "lastseen": "2021-08-18T20:44:41", "history": [], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2"]}, {"type": "cve", "idList": ["CVE-2021-28372"]}, {"type": "thn", "idList": ["THN:5AB9B799387DFCA06785A794771CA81C"]}, {"type": "threatpost", "idList": ["THREATPOST:93843DFDBB801D0DB8A088076564EE58", "THREATPOST:EFC9891A6D0916117D424D2336342F32"]}, {"type": "ics", "idList": ["ICSA-21-229-01", "ICSA-21-166-01"]}, {"type": "fireeye", "idList": ["FIREEYE:D268F454E3506F10B65255B8756772D3"]}], "modified": "2021-08-18T20:44:41", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-18T20:44:41", "rev": 2}}, "objectVersion": "1.6"}, "lastseen": "2021-08-18T20:44:41", "differentElements": ["cvss", "description", "modified"], "edition": 1}], "viewCount": 10, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-28372"]}, {"type": "attackerkb", "idList": ["AKB:F43E0E83-AB20-454F-9F52-9A5B06742CB2"]}, {"type": "threatpost", "idList": ["THREATPOST:EFC9891A6D0916117D424D2336342F32", "THREATPOST:93843DFDBB801D0DB8A088076564EE58"]}, {"type": "fireeye", "idList": ["FIREEYE:D268F454E3506F10B65255B8756772D3"]}, {"type": "ics", "idList": ["ICSA-21-229-01", "ICSA-21-166-01"]}, {"type": "thn", "idList": ["THN:5AB9B799387DFCA06785A794771CA81C"]}], "modified": "2021-08-20T19:13:30", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-08-20T19:13:30", "rev": 2}}, "objectVersion": "1.6", "_object_type": "robots.models.thn.ThnBulletin", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"]}]}