IoT supply chain hit by ThroughTek P2P SDK vulnerability

ThroughTek P2P

The Cybersecurity and Infrastructure Security Agency (CISA) announced on Tuesday the presence of a security vulnerability in ThroughTek P2P (Peer-to-Peer) SDK that allows cleartext transmission of sensitive information, such as camera audio/video feeds. The vulnerability affects a software component, part of the supply chain for many OEMs (original equipment manufacturers) of consumer-grade security cameras and IoT devices. 

The ThroughTek P2P vulnerability leads to the affected products not protecting data transferred between ThroughTek servers and local devices. The risk of using vulnerable cameras comes from providing unauthorized access to confidential audio/video camera feeds. For critical infrastructure operators, this could reveal sensitive business, production and employee information. 

A CVSS v3 base score of 9.1 has been calculated and assigned to the ThroughTek P2P SDK vulnerability. Nozomi Networks reported this vulnerability to CISA, according to the advisory

Nozomi disclosed the vulnerability in March, and ThroughTek promptly acknowledged the problem detected in several million connected devices. The company proceeded to notify its customers and committed to fixing the vulnerability by adding a layer of encryption based on DTLS ECDSA-PSK. ThroughTek’s webpage addressing the SDK vulnerability advises customers to enable security functionality or upgrade to a current version. 

Nozomi had in January discovered vulnerabilities in the P2P feature of Reolink security cameras that could permit unauthorized access to sensitive information due to the presence of two security vulnerabilities. 

In its advisory, the Taiwanese company lists the potential ramifications of the ThroughTek P2P vulnerability to include device spoofing, device certificate hijack, and private data or video leakage. ThroughTek identified the required skills for exploiting the vulnerability to include deep knowledge of network security, awareness of network sniffer tools and grasp of encryption algorithms.

ThroughTek advised its users of SDK 3.1.10 and above to enable Authkey and DTLS (Datagram Transport Layer Security), while if the SDK deployed is below 3.1.10, users have been recommended to upgrade the library to or and enable Authkey/DTLS. 

P2P, in the context of security cameras, refers to functionality that allows a client to access audio/video streams transparently through the internet. The video data is available from the cameras or accessed using Network Video Recorders (NVRs). Instead of having a user explicitly configure a firewall to let a client reach the device with the video data, P2P establishes a connection through a set technique commonly defined by the umbrella term ‘hole punching.’ The technical details vary between vendors and third-party providers of the functionality. 

However, the typical scenario involves an internet-reachable node which acts as a mediator between the client that wants to access the audio/video stream, and the device that serves the data.

Nozomi Networks Labs recently received a NVR and its team determined that it has P2P functionality. The company analyzed the network traffic generated by a Windows client connecting to the NVR through P2P, and noticed several packets connecting to, the domain name accessed by clients of ThroughTek’s P2P platform.

A peculiarity of P2P SDKs is that OEMs are not just licensing a P2P software library, they also receive infrastructure services (the offsite P2P server) for authenticating clients and servers and handling the audio/video stream.

“We then started investigating the client implementation, soon realizing that it comes embedded with different sets of P2P libraries. The software client is essentially a white-label product, and for this very reason it needs to provide full interoperability with several P2P vendors,” Nozomi wrote in its blog post on Tuesday. “After setting a few breakpoints in the right spots, we managed to identify interesting code where the network’s packet payload is deobfuscated. We later parsed the code to understand which type of commands it contained.”

“We use the word “deobfuscated” to signify that the protocol lacks a secure key exchange and relies instead on an obfuscation scheme based on a fixed key,” Nozomi highlighted. “The consequences of the vulnerabilities of both Reolink and ThroughTek are similar: since this traffic traverses the internet, an attacker that is able to access it can reconstruct the audio/video stream,” it added.

As ThroughTek’s P2P library has been integrated by multiple vendors into many different devices over the years, it is virtually impossible for a third party to track the affected products. The threat model under which this type of vulnerability is exploitable, is the limiting factor for its actual impact. Essentially, any hacker that can access the network traffic between the NVR and the end user, including the P2P third-party server provider in some scenarios, could access and view confidential audio/video streams.

While doing further research, Nozomi stumbled upon more recent versions of the library, with a different obfuscation scheme and a different set of parameters. “We could not perform a dynamic analysis of those libraries because finding a device running the newer version of the protocol proved to be a bigger challenge than finding the vulnerability,” it added.

Generally, when a buyer looks at the technical details of various security cameras, they are unable to identify the P2P provider or find a proper description of the protocol. Unfortunately, most buyers do not have the skills or inclination to do this. Therefore, the best way to prevent captured audio/video content from being viewed by strangers over the internet is to disable P2P functionality.

“We recommend that users only enable P2P in the rare situations where the vendor can provide a thorough technical explanation of why the algorithms used in their products are secure,” Nozomi said.

Further considerations include assessing the security and privacy policies of both the camera vendor and the jurisdiction in which the vendor is located, it added.

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on whatsapp


Join over 5,000 Industrial OT & Cyber professionals

Weekly Newsletter direct to your inbox