SDK supply chain vulnerability exposes security cameras to hacking

SDK supply chain vulnerability exposes security cameras to hacking

A vulnerability in ThroughTek’s Kalay Platform software development hit (SDK) has exposed many security cameras used by original equipment manufacturers (OEMs) of consumer-grade security cameras and IoT devices.

ThroughTek provides IoT and P2P solutions for security systems, surveillance, smart homes, personal cloud storage, and consumer electronics.

The vulnerability CVE-2021-32934 affects the P2P library ThroughTek implemented in SDKs up to and including version 3.1.5. The P2P SDK is used to provide remote access to audio/video streams over the internet.

“The main concern is that this vulnerability may cause IOTC encryption to be compromised. This vulnerability has been addressed in SDK version 3.3 and onwards, which was released at mid-2020.,” ThroughTek wrote in a security advisory.

Security researchers from Nozomi discovered the vulnerable devices after they analyzed the network traffic generated by a Windows client connecting to a network video recorder (NVR) through a peer-to-peer (P2P) connection.

As a result, a threat actor could gain unauthorized access to sensitive information, such as camera feeds.

Nozomi noted the affected devices were running outdated software, which underscores the need for OEM vendors to keep SDKs up to date in response to ongoing threats.

In addition, the Department of Homeland Security (DHS) also released a ICS-CERT security advisory (ICSA-21-166-01) regarding the SDK threat. The CVE-2021-32934 has a CVSS base score of 9.1.

This past March, security experts from the United Kingdom (UK) National Cyber Security Centre (NCSC) issued a security advisory urging users to secure internet-connected cameras, such as home smart cameras and baby monitors.

Affected products

According to ThroughTek, the following P2P Software Development Kit (SDK) products and firmware are affected:

  • All versions below 3.1.10
  • SDK versions with nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware that uses AVAPI module without enabling DTLS mechanism
  • Device firmware that uses P2PTunnel or RDT module.

Moreover, ThroughTek recommends the following mitigations:

  • If SDK is Version 3.1.10 and above, enable authkey and DTLS.
  • If SDK is any version prior to 3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.

Related Articles