The issue affects the third-party ThroughTek peer-to-peer SDK.
Millions of CCTV cameras contain a serious software vulnerability that allows outsiders to intercept the video stream.
On the CVSS v3 hazard rating scale, the vulnerability ( CVE-2021-32934 ) received a score of 9.1 out of a maximum 10. The problem affects the ThroughTek component from a third-party manufacturer used in the software of some CCTV cameras. The same component is also used by a number of IoT device manufacturers, including baby monitors and pet tracking devices.
The ThroughTek component is a peer-to-peer (P2P) software development kit (SDK) that provides access to video and audio streams over the Internet.
The vulnerability has not yet been exploited by hackers. However, the consequences of its potential exploitation can be dire, and the developer has already released a fix. Intercepting video from CCTV cameras used in industrial plants or critical infrastructure facilities can lead to theft of confidential business data, industrial secrets, building layouts that can then be used in physical attacks, as well as employee data. There is no need to explain the consequences of intercepting a video stream for home users.
Vulnerable versions:
- All ThroughTek versions up to 3.1.10;
- SDK versions with nossl tag;
- Firmware for devices that do not use AuthKey for IOTC connection;
- Flashing devices that use the AVAPI module without DTLS enabled;
- Flashing devices using P2PTunnel or RDT.
What to do:
- In SDK version 3.1.10 or later, enable Authkey and DTLS;
- In SDK version 3.1.10 or earlier, update the library to version 3.3.1.0 or 3.4.2.0 and enable Authkey / DTLS.
Unfortunately, end-users will have to wait until the manufacturers of CCTV cameras and other affected
devices release updates. Because many manufacturers have integrated the ThroughTek library with many devices over the years , it is impossible to track all affected products.