Millions of security cameras contain a serious software vulnerability that allows unauthorized users to intercept the video stream.

According to the CVSS v3 scoring system, the vulnerability (CVE-2021-32934) is rated with a score of 9.1. The problem affects the third-party ThroughTek component used in the software of some security cameras. This same component is also used by a number of IoT device manufacturers.

The ThroughTek component is a peer-to-peer (P2P) software development kit (SDK) that provides access to video and audio streams over the Internet.

The vulnerability has not yet been exploited by hackers. However, the consequences of its potential exploitation could be dire, and the developer has already released a fix.

Vulnerable versions:

All ThroughTek versions below 3.1.10;

SDK versions with nossl tag;

Device firmware that does not use AuthKey for IOTC connection;

Device firmware using the AVAPI module without enabling DTLS mechanism;

Device firmware using P2PTunnel or RDT module;

Actions to take:

If SDK is 3.1.10 and above, enable Authkey and DTLS;

If SDK is below 3.1.10, upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS.

End users will have to wait until the manufacturers of security cameras and other affected devices release updates.

Source: securitylab.ru