Mass P2P Video Surveillance Vulnerability Impacts Millions (ThroughTek)
P2P has become a major alternative to the insecurity of port forwarding but one of the most widely used providers (Throughtek, whose customers have included Swann, Foscam, Wyze, and many more) has been found to have a massive vulnerability in its widely used SDK.
In this report, we explain the vulnerability, what companies use its P2P platform, examine the impact, how the vulnerability is fixed, including feedback from Throughtek.
Attack *******
*** ************* ****** ********* ** ******** access ***** *** ***** **** *** Internet, **** * **********-******* *** ** camera. ** *** ***** ** **********'* SDK (********* *** *** ******** ** to *** ********* ******* *.*.*.), ***** prior ** *********, *** *** ******* encrypted ************** ******* ****** ******* (*.*. NVRs, *******) *** ********** *** ******* servers.
******** ******** ******* **************** *** ************* ***** ** * basic *****-***** ******* ****** ********** ******** that ******** ******* *** *******:
******* *** *** *** ********** ** use * ***** ***, ****** **** a ******** ****** *** ********, ****** noted:
***** **** ******* ********* *** ********, an ******** **** ** **** ** access ** *** *********** *** *****/***** stream.
*** ********* ** * *****-**-******* ****** we *********, ***** ************ **-***-*** ******* from *** ******* *******. *** ****** starting **** **** ** *** *** that ******** ********** * ****** ** the *** *******.
****** **** ***** **** ***** ** attacker *** *** ** ****** *** traffic ** ********** *******, ******* ******* that *** *** ******* *** *** a ****** *** ********, *********** ***** devices *** ********** ******** ** ***** step.
*******, **** ******** ********** ** ******* against ***** *** ********, ******:
******* ******* * ****** ******* *** newer ******* ** *** ******** ****** to ** * ****** ********* **** finding *** *************.
Impacts ******** ** *******
**********'****** *.*** ******** ** * ******** ********* for ***+ **** **** **+ ************* (such ** ***** ** ********* ** Ambarella) **** *** **** ** *** IoT *** ************ **********, ********* ************, home **********, ***** ****, *** ***** retail.
********** ********* **** ******* ******* ******** include ******, *****, *** ****. ********** also ****** **** ***** ********, *****, Guardzilla, *********, **, *****, ***** ***, HP, *******, ********, *******, ******, *** current ** **** *********, **** ******** ** ****. *********** ***** ** ***** *********' production *********** *** ********** ** ********* and *******.
** ***** **** ** **** **** ever, ** ***** ***** * ********** version ** ********** ***, *** **** did *** *******. ** **** ****** the ****** ** **** **.
Encryption *******, *** ********
*** ******* ********* ********* ** * connector ****** *** ****** ******** **** they ***** ******** ******** ****** ** end ** *** ********** *** *****-****** authentication:
*******, **** ***** **** ********** *** not ******* *** *** ** ********** of *** *********, ***** ****** *** vulnerability. **** **** **** **** ******** education *** ********* ** *** ***** system ** * **** ****** ******:
** * *** ******** ********, ** continuously ********* ********** ******** *** ***** service ** ******* ****** ******** ********* to ***** ** *******, **********, *** client ***. ******** ** ****** ***** what ***/******** **** ********** **** *** in *** ***, **** **** ******** our *********** ******** *** **** **** our ********* *** ** ********* ** avoid ******* ******** ******.
SDK / ******** ****** ********
*** ********* *** ********** *** *** customers ** ******** ** ******* **** firmware *******, ***** ********** *********** *** those ******* **** ****** ** ******* remotely ****-***-***.
** ****, ******** ******** *** ******** to ****** ** * ****** ******* due ** *** ****** ** *** consumers ** ***** ***-**** *******; **** do *** ******** ******* *********, *** typically ***/****** ******* **** ******* ********* of ************* ******.
Critical ************* *******
****************** ** ********** *** *********** ********* the ************* ** ********** ** ***** 2021. *** ************* ** ********* ****** on ***** *** ******* ******* ******** details:***-****-*****.
*** ************* *** ***** * **** v3 **** ***** ** *.* *** to *** **** ** ****** ** live/recorded ***** *** *****, ****** *************, the *** ********** ** *** ******, and ** *********** ** ******** ********. The **** ****** ****** ** (**:*/**:*/**:*/**:*/*:*/*:*/*:*/*:*).
**** ** * ****** ******, ******* to *************** **** *******'* ********* ************* ************ ************* **** **** ******* ****** ****/*********** knowledge ** ******.
ThroughTek ********
****** ***** ******* ***,************* *********** ** ****** ** ****. They *** * ***** ********** ******** in *** ***/***** ****** *** ***** surveillance **********. ** ****, **** ******** the ***** ********, ***** ** ******* to **** *************.
********** ** * ******** *******, ** such, **** ** *** ******* ******** devices *** **** **** ******** ************* and ****/********** ** ********* ******** ******** of ******** *** ******** ***********.
ThroughTek ****** *********
**********'************* ** *** ********************* **** **** ********* **** ** fault *** *********** ***** *** ***, or ****** ** ****** *******:
******** ********** **., ***. (*********** ******** to ** ****) *** ********** **** customers *** *********** *********** *** *** or **** *********** *** *** ******* updates.
***** ********** ** ********** ************** *** the *************, **** ******* *** ****** to ********* *** *** ** ** unsecured ******, ***** ***** ********* *** because ** *** ******/****** **** ******** for ******* *******.
********** **** **** **** **** ********* customers ** ******* *** ***, *** older ******** ** *** ******* ****-***-*** or ****** ****-***-******** ********:
*** *** **** ***** *****, ** have **** ********* *** ********* ** upgrade ***** ***. **** *** ******* lack *** ******** ***** ***** *** FW ******* **********. ** ********, ** have ********* **** ***’* **** ** enable *** **** ******* ** ***** slow **** *** ********** ************* *****, therefore *** ******** ** *******. **** provides *** **** ********* ***** *** API *** ******* ***********, ** ** not ****** *** ******** *** ********* for ** **********
ThroughTek ***** ***** **** ****
***** ********** *** *** ******** ******** the ************* ***** ** *** *********** forced ** *** **** *** ****** announcements, **** ****** ****** **** ****** ***** **, ****, *********** ********* to ****** ******* *** **** ******** features, *** ** ***** ***:
*** ******* ********* ******** ******* ***** of *** ********** **********. ***** ******** the ******* *********, *** *** ******* will **** ** ***** ******* **** peer ** * ********** ******** *** same ******* ****** **** *** *** up * **********. ** ******** ****, data ******** **** ** ********. ** encourage *** ********* ** ********* ******* and ****. ** *** **** ****, please **** **** ** ******* **** sales ***************.
** **** *****, ********* ** ******, ThroughTek *** ***** ** *** *****.
Nozomi ********
****** *** *********** ** ********** ** 2013, ** **-*********** ****** ************* ****** *******, **** **** ****** *********** ** software *** ******** **** ********. ****** offers ************* ******** *** ********** ******** and ******* *** ************* *** *****, and ****** ******* ****** *********.
************, **** ******* ****** ******* ****, which ***** *** ********** *************, *********** * ******* *** ****** *************. **** ****** **** ***** *** receives ******* *** ****** **********:
** ****** ******** ** **** * continuous ******** ** ******* **** ***** our *** ***********, **** *** ** IoT ** ******* *******. **** ** receive * *** ******, *** ** the ***** ********** ** ** ** analyze *** ******* *******.
***** **** ******* ************* (***-****-*****) *** announced *********:
****, **** ** * ********* *** to ******* ******* *** **** * valid *** ** *******.
** ****** ******:
** *******, *** ***** **** *** access *** ******* ******* ******* *** NVR *** *** *** ****, ********* the *** *****-***** ****** ******** ** some *********, ***** ****** *** **** confidential *****/***** *******.
** *** **** * *** ** sniff ***** ***** ******* ** * non-public ******* ** *** * ***.
*** **** ** * *** *** from *** ********* ***** ****-***** ********, which ******* ****** **** ******** ** discover * ****** *** **** ******* it ********.
** **** ** *********** ** *** if **** **** **** *******. ***** is ******* ***** **** * ******* not ********** ****** **** ** ******** the ******** ** ***** ********.
* **** ********** **** * ******* needs ** ******* * ********* *** investigate *** ***** ******* ** **** speaking *** *** **** *** ******* out ********* ***********.