The US Department of Homeland Security has announced a new vulnerability in the IoT supply chain, which will cause severe effects for the internet of things devices. The security experts warned everyone of this vulnerability and said that it may impact millions of connected cameras across the globe and will allow attackers to seize video streams. This could reveal sensitive information of businesses, manufacturing, and employee details for critical infrastructure operators.
DHS and Nozomi Networks unveiled the issue in a software component from the company named ThroughTek. The component is an important part of the supply chain for several OEMs or original equipment manufacturers use to produce IP cameras, security cameras for babies or pets, robotic or battery devices, and IoT devices. According to ThroughTek, the solution is used by millions of connected devices. The bug is discovered in a P2P SDK produced by the company. This P2P is used to provide access to the video or audio streams to the client on a mobile app from a camera or other devices via the internet. Due to the vulnerable cameras, there is an intense risk for enabling unauthorized access to confidential audio or video camera feeds.
As per the claims of Nozomi Networks, the transmission protocol used for data streams lack a strong and secure key exchange and reliability. Instead of that, it depends on an ambiguous scheme based on a fixed key. All this shows that the attackers would have greater access to change data streams and allows them to snoop on users effectively. CISA announced a security alert for the ThroughTek P2P SDK on June 15 and gave a score of 9.1 on the CVSS vulnerability severity scale. In a release, CISA said that the ThroughTek P2P products do not protect the data transferred between remote devices and ThroughTek servers.
The newly released ICS Advisory of CISA shows that the vulnerability impacts version 3.1.5 and the prior version, SDK versions with nossl tag. Moreover, it also affects device firmware that uses the AVAPI module without allowing the DTLS mechanism or firmware using the P2PTunnel or RDT module. According to the advisory, the vulnerability is also present in the device firmware that does not have AuthKey for IOTC connection.
The company ThroughTek blamed its developers for incorrectly implementing the SDK and for failing to update the same. The firm said that for addressing the flaw of P2P library TUTK, version 3.3 was launched in mid-2020 to fix this issue and requested customers to update the SDK version in their products. The company recently confirmed that some of its customers disregarded the SDK version updates.
In a statement, ThroughTek said that they strongly recommend that customers should review the SDK version applied to their devices and follow all the instructions to avoid any further problems. The revelation of the bug represents that the challenges users are facing from IoT and other devices that have complex supply chains and usage of components from third parties.
Credits
For more information on the ThroughTek IoT Supply chain vulnerability, check this site.
Sudipto is a Senior Content Developer at IoT Avenue who helped to build the content of the site along with several other sites with his compassionate SEO driven content. He is also a HubSpot, certified Content Marketer. He brings five years of experience to his current role, where he is dedicated to developing the content of different websites.
by Sudipto Das | Jul 22, 2021 | IoT News
by Sudipto Das | Jul 08, 2021 | IoT News
by Sudipto Das | Nov 21, 2019 | IoT News
by Sudipto Das | Nov 21, 2019 | IoT News
by Sudipto Das | Nov 20, 2019 | IoT News
We use cookies to provide you the best experience on our website. By continuing to use our site, you consent to the use of our cookies Find out more