- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
IoT Supply Chain Bug Hits Millions of Cameras
Security experts have warned of a critical IoT supply chain vulnerability that may affect millions of connected cameras globally, allowing attackers to hijack video streams.
Nozomi Networks revealed the flaw in a popular software component from ThroughTek, which OEMs use to manufacture IP cameras, baby and pet monitoring cameras, and robotic and battery devices.
The bug itself is found in a P2P SDK produced by the firm. In this case, P2P refers to functionality that allows a client on a mobile or desktop app to access audio/video streams from a camera or device through the internet.
Nozomi Networks claimed that the protocol used for transmission of those data streams “lacks a secure key exchange and relies instead it on an obfuscation scheme based on a fixed key.”
This means that unauthorized attackers could access it to reconstruct the audio/video stream — effectively enabling them to snoop on users remotely.
CISA released its own security alert for the ThroughTek P2P SDK yesterday, giving it a critical CVSS score of 9.1. According to the advisory, it affects: versions 3.1.5 and older; SDK versions with nossl tag; and device firmware that does not use AuthKey for IOTC connection, uses the AVAPI module without enabling DTLS, or uses the P2PTunnel or RDT module.
ThroughTek placed the blame firmly on developers who have incorrectly implemented its SDK or failed to update the offering.
It said version 3.3 was introduced in mid-2020 to fix this vulnerability and urged any customers to update the SDK version used in their products.
It also revealed that the bug could lead to unauthorized eavesdropping on camera video and audio and device spoofing and device certificate hijacking.
The case highlights the challenges facing users of IoT and other devices, which have complex supply chains using components from third parties.
Last year, several zero-day vulnerabilities were discovered in a widely used low-level TCP/IP software library that may have impacted hundreds of millions of IoT devices.
In April this year, researchers found multiple flaws dubbed “Name:Wreck” in popular IT software FreeBSD and various IoT/OT firmware types, which they claimed could be present in over 100 million devices.