SKD failure puts IoT cameras and devices at risk

A flaw in a software development kit (SDK) used by security camera manufacturers could allow hackers to remotely access captured images. Researchers at Nozomi Networks, a cybersecurity company for the industrial and Internet of Things (IoT) sectors, revealed that the vulnerability affects the P2P SDK provided by ThroughTek to many OEMs producing security cameras and other IoT devices.

In the context of security cameras, P2P refers to functionality that allows audio and video streams to be accessed over the Internet. Nozomi Networks identified the vulnerability in March 2021 and reported it to ThroughTek, which immediately acknowledged the issue.

According to Nozomi Networks, ThroughTek has also notified customers and committed to patching the vulnerability by adding a “DTLS-based ECDSA-PSK encryption layer”. A ThroughTek webpage, dated June 2021, addressing the SDK vulnerability, advises enabling the security feature or upgrading to a current version. An alert about the flaw was also issued by the US Cybersecurity and Infrastructure Security Agency (CISA), which advised OEMs to take steps to prevent the exploitation of their devices.

Since ThroughTek’s P2P library is integrated by several vendors in many different devices, it is almost impossible to trace the affected products.

Nozomi Networks researchers warn that the best way to prevent content captured by the cameras from being viewed by strangers via the Internet is to disable the P2P functionality. This function should only be enabled in rare situations and when the vendor guarantees that algorithms used by their products are secure. Unfortunately, most users will not have the skills or inclination to question this.

One should not forget the lesson provided by the SolarWinds case about supply chain type attacks, which corrupt a particular process and spread problems across multiple industries. This can also happen, for example, with vulnerable surveillance cameras. For example, a recent incident involving the company Verkada, which offers security services using internet-connected cameras and cloud platforms to share the videos, ended up exposing live feeds from 150,000 surveillance cameras inside hospitals, police departments, prisons, and schools. It also involved automaker Tesla and software company Cloudflare.

Watching who watches

Surveillance solutions represent the biggest area of technology for smart cities, and among them are IP (internet-connected) cameras. Yet they don’t seem to be getting enough attention when it comes to cybersecurity. And it’s been several years since the Mirai botnet incident brought down major DNS servers and consequently, large websites in the US and Europe in 2016, originating from IoT devices such as cameras and DVR players.

Certainly, part of the responsibility for the carelessness regarding IP camera security lies with manufacturers, OEMs, and SDK developers like ThroughTek, but users are also an important link in the management of cybersecurity, especially when it comes to passwords. Many end up leaving the equipment with default passwords, which come from the factory. In this regard, manufacturers could collaborate, forcing users to change passwords right after installation. Perhaps they do not do this to avoid a greater flow of technical support calls.

One way to change this scenario would be for consumers to consider safety among the relevant factors during the purchase selection process, not just price and performance.  Admittedly, the task of checking whether one camera is more secure than another may not be easy for average consumers without technical knowledge, but there are now, more than in 2016 at the time of the Mirai attack, many more product reviews published on the Internet. Anyway, one should think of IP cameras as any other equipment connected to the Internet and, therefore, is susceptible to cyberattacks. They should also be subject to updates and patches if flaws are identified.

In addition to hacker attacks, cameras connected to the Internet can also be exploited to invade the privacy of individuals or company environments. Visit the IoT search engine Shodan.io, search for popular camera names and you will see images of, for example, city centers, production spaces, among others – a sign that privacy has been neglected.

Anyway, because prevention is better than cure, it pays to know if your IP cameras have vulnerabilities so you can eliminate them before hackers get in on the act. The CVE security vulnerability database can be very useful as it tracks flaws in all types of IoT devices and allows searches by manufacturer, product, and version, revealing specific flaws and their severity levels. Let’s get to work!