A security vulnerability has been identified in software deployed across millions of internet-connected devices with audio and video functionality.
According to researchers at Nozomi Networks, the flaw could allow attackers to effectively turn smart devices - such as baby monitors, home security cameras or smart doorbells - into spying tools.
In a business context, meanwhile, the security flaw could be exploited to gain access to sensitive employee and customer data, or gather intel on production techniques.
- Here's our list of the best endpoint protection services around
- Check out our list of the best antivirus services out there
- We've built a list of the best malware removal software right now
The bug has been awarded a severity rating of 9.1/10 as per the Common Vulnerability Scoring System (CVSS), due to the wide scope and low complexity of the exploit.
IoT security vulnerability
The offending software component, known as P2P, is developed by a company called ThroughTek. In legitimate scenarios, the P2P SDK is used by manufacturers to build remote access functionality into IoT devices.
The vulnerability is said to affect P2P SDK versions 3.1.5 and prior, as well as any versions with the nossl tag. ThroughTek remedied the issue with version 3.3, rolled out in mid-2020, but a significant proportion of devices are thought to be running out-of-date builds.
A proof-of-concept developed by Nozomi demonstrates that older versions of the P2P SDK allow for data packets to be intercepted in transit and then decrypted. These packets can then be reconstructed into complete audio or video streams.
In a blog post, ThroughTek suggests an attacker would require a deep knowledge of network security, network sniffer tools and the encryption algorithm in order to execute the attack. And the researchers also conceded that it would be difficult for an attacker to identify which IoT devices are vulnerable and which not.
Nonetheless, manufacturers that utilize the P2P SDK are advised to upgrade to the latest version immediately to shield against attack.
“The most chilling reminder with this research is that despite all the technical advances in connected devices, and our reliance on them during the past year’s lockdown, IoT is still racked with insecurity,” said Nozomi.
- Take a look at our list of the best firewalls
