ThroughTek Kalay P2P SDK
Plan PatchCVSS 9.6ICS-CERT ICSA-21-229-01Aug 17, 2021
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
ThroughTek Kalay P2P SDK contains an improper access control vulnerability (CWE-284) affecting IP camera devices and equipment that use the P2P platform for remote connectivity. The vulnerability exists in SDK versions prior to 3.1.10, in SDK builds without SSL (nossl tag), in device firmware using P2PTunnel or RDT modules without proper authentication, and in devices using the AVAPI module without DTLS encryption enabled. An attacker can achieve remote code execution and unauthorized access to sensitive information including camera audio and video feeds.
What this means
What could happen
An attacker can remotely access IP cameras and execute commands on affected devices without authentication, potentially viewing live or recorded video feeds and altering device configuration or operation. This affects all internet-connected cameras or IoT devices built on vulnerable ThroughTek SDK versions.
Who's at risk
This affects any organization operating internet-connected IP cameras, video surveillance systems, or IoT devices that use ThroughTek's Kalay P2P SDK for remote access. This includes security camera systems at water utilities, electric utilities, traffic management systems, and any facility with remotely monitored IP cameras built on affected SDK versions. OEMs (original equipment manufacturers) of these devices should prioritize firmware updates.
How it could be exploited
An attacker sends a specially crafted request to the P2P connection port on an internet-accessible camera or IoT device running vulnerable SDK. The improper access control allows the attacker to bypass authentication and gain control of the device. No user interaction is required; the device simply needs to be reachable from the attacker's network.
Prerequisites
- Internet or network access to port used by Kalay P2P SDK (commonly used by IP cameras)
- Target device must be running vulnerable SDK version (<=3.1.10) or specific vulnerable configurations (nossl builds, P2PTunnel/RDT without authkey, AVAPI without DTLS)
- No authentication credentials required
remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.6)no patch available for older SDK versionsdefault insecure configurations in some SDK builds
Exploitability
Unlikely to be exploited — EPSS score 0.9%
Affected products (5)
5 pending
ProductAffected VersionsFix Status
Kalay P2P SDK:≤ 3.1.5No fix yet
Kalay P2P SDK: SDK* (with the nossl tag)No fix yet
Kalay P2P SDK: Device firmware using P2PTunnel or RDT module* (using P2PTunnel or RDT module)No fix yet
Kalay P2P SDK: Device firmware that does not use AuthKey for IOTC connection* (that does not use AuthKey for IOTC connection)No fix yet
Kalay P2P SDK: Device firmware using the AVAPI module without enabling DTLS mechanism* (using the AVAPI module without enabling DTLS mechanism)No fix yet
Remediation & Mitigation
0/7
Do now
0/2HOTFIXUpgrade Kalay P2P SDK library to version 3.3.1.0 or 3.4.2.0 if currently running SDK versions prior to 3.1.10
WORKAROUNDDo not allow remote access to affected cameras or IoT devices from untrusted networks or the public internet
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGFor devices already running SDK version 3.1.10 or above, enable authkey and DTLS encryption in device configuration
HARDENINGFor devices using P2PTunnel or RDT modules, ensure authkey is enabled for IOTC connections
HARDENINGFor devices using AVAPI module, enable DTLS mechanism in configuration
Long-term hardening
0/2HARDENINGPlace camera and IoT device network behind firewall and isolate from business network
HARDENINGUse VPN with current patches for any required remote access to devices, but verify devices behind VPN are also patched
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6639115e-977d-488b-8ce6-21f15978ad7aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.