ThroughTek P2P SDK

Act Now9.1ICS-CERT ICSA-21-166-01Jun 15, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ThroughTek P2P SDK versions without proper authentication and encryption mechanisms allow unauthorized access to IP camera feeds. The vulnerability affects device firmware using P2P connections that do not enable AuthKey for IOTC connections or lack DTLS encryption on P2PTunnel, RDT, or AVAPI modules. Versions 3.1.5 and below are particularly vulnerable. An attacker with network access can intercept and capture camera audio/video feeds without authentication.

What this means

What could happen

An attacker could intercept and access camera feeds (audio and video) from IP cameras using vulnerable versions of the ThroughTek P2P SDK, compromising facility surveillance and security monitoring.

Who's at risk

This affects water authorities, electric utilities, and industrial facilities using IP cameras with ThroughTek P2P SDK for remote monitoring and surveillance. Any facility relying on cloud-connected security cameras (especially those manufactured with this SDK) for perimeter monitoring, critical infrastructure protection, or facility access control should be concerned.

How it could be exploited

An attacker on the network (or internet if the camera is exposed) can capture unencrypted P2P connection traffic between the camera and the ThroughTek cloud platform. By intercepting the IOTC connection that lacks AuthKey, the attacker can gain unauthorized access to the camera stream without authentication.

Prerequisites

Network access to the P2P connection between camera and cloud platform (can be from the internet if camera is internet-exposed)
Camera using vulnerable SDK version without AuthKey enabled for IOTC
No DTLS encryption enabled on P2PTunnel, RDT, or AVAPI modules

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.1)no patch available for some configurationsaffects surveillance systems critical to physical security

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

P2P Software Development Kit: Device firmware that does not use AuthKey for IOTC connection* (that does not use AuthKey for IOTC connection)3.3.1.0 or 3.4.2.0

P2P Software Development Kit:≤ 3.1.53.3.1.0 or 3.4.2.0

P2P Software Development Kit: SDK* (with nossl tag)3.3.1.0 or 3.4.2.0

P2P Software Development Kit: Device firmware using P2PTunnel or RDT module* (using P2PTunnel or RDT module)3.3.1.0 or 3.4.2.0

P2P Software Development Kit: Device firmware using the AVAPI module without enabling DTLS mechanism* (using the AVAPI module without enabling DTLS mechanism)3.3.1.0 or 3.4.2.0

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIf SDK version is 3.1.10 or above, enable authkey and DTLS mechanism on all P2P modules

HOTFIXIf SDK version is prior to 3.1.10, upgrade to library version 3.3.1.0 or 3.4.2.0 and enable authkey/DTLS

HARDENINGEnsure cameras are not directly accessible from the internet; place behind firewalls and isolate from business network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote camera access is required, use secure tunneling methods such as VPN

CVEs (1)

CVE-2021-32934

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/48d5b8d4-9bd3-497a-b8ac-aff356206147