California-based Nozomi Networks has discovered a security-camera vulnerability, the latest in a series regarding IoT security. It could affect several million devices.

This vulnerability affects a software component from Taiwanese company ThroughTek. The component is part of the supply chain for many OEMs of consumer-grade security cameras and IoT devices. ThroughTek says it is used by several million connected devices.

ThroughTek’s P2P software development kit (SDK) provides remote access to audio and video streams over the internet. P2P is used by multiple camera vendors.

The risk of using vulnerable cameras is unauthorised access to confidential audio and video camera feeds. For critical infrastructure operators, this could reveal sensitive business, production and employee information.

ThroughTek’s web site shows its technology being used by OEMs that manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices.

Nozomi Networks has a continuous pipeline of devices that enter its lab, from PLC to IoT to medical devices. When it receives a new device, one of the first activities is to analyse its network traffic.

The lab recently received a network video recorder (NVR) and found it had P2P functionality. It analysed the network traffic generated by a Windows client connecting to the NVR through P2P. Several packets connect to iotcplatform.com, the domain name accessed by clients of ThroughTek’s P2P platform.

It then started investigating the client implementation, realising it came embedded with different sets of P2P libraries. The software client is essentially a white-label product so it needs to provide full interoperability with several P2P vendors.

After setting a few breakpoints in the right spots, the lab identified code where the network’s packet payload was de-obfuscated. The researchers parsed the code to understand which type of commands it contained. The word de-obfuscated signifies that the protocol lacks a secure key exchange and relies instead on an obfuscation scheme based on a fixed key.

Since this traffic traverses the internet, an attacker that can access it can reconstruct the audio and video stream.

Nozomi disclosed this vulnerability in March 2021 and ThroughTek acknowledged the problem. The company also proceeded to notify its customers and committed to fixing the vulnerability by adding a layer of encryption based on DTLS ECDSA-PSK.

ThroughTek’s web page addressing the SDK vulnerability advises its customers to enable security functionality or upgrade to a current version.

Because ThroughTek’s P2P library has been integrated by multiple vendors into many different devices over the years, it’s virtually impossible for a third party to track the affected products. The threat model under which this type of vulnerability is exploitable is the limiting factor for its actual impact.

In essence, any actor that can access the network traffic between the NVR and the end user, including the P2P third-party server provider in some scenarios, could access and view confidential audio and video streams.

While doing further research, the lab stumbled upon more recent versions of the library, with a different obfuscation scheme and a different set of parameters. It could not perform a dynamic analysis of those libraries because finding a device running the newer version of the protocol proved to be a bigger challenge than finding the vulnerability.

In summary, while ThroughTek states its software is used by millions of devices, and P2P functionality is widespread among vendors, it is difficult to evaluate the risk of a particular security camera.

Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol. Often, the best and only way to get this information is to look directly at the client and server implementation, and most buyers do not have the skills or inclination to do this.

Therefore, the best way to prevent captured audio and video content from being viewed by strangers over the internet is to disable P2P functionality.

Nozomi recommends that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in its products are secure.

Further considerations include assessing the security and privacy policies of both the camera vendor and the jurisdiction in which the vendor is located.

“In other words, don’t take a chance on viewing camera feeds over the internet, unless you have done thorough technical due diligence and feel comfortable with the vendor’s security and privacy practices,” says a Nozomi statement.