Critical vulnerability discovered in IP cameras

Security researchers have identified critical security vulnerabilities in IP cameras, which models are involved is unclear, this will be rather impossible to determine.

Eavesdropping attacks on IP cameras possible

Through this vulnerability, it should be possible under certain conditions for attackers to eavesdrop on IP cameras from different manufacturers. The vulnerability lies in a software development kit (SDK) for the IP cameras, which is classified as critical. A repaired version is said to already be available for this. However, a patch of the gap should be rather problematic.

Vulnerability in the SDK

The vulnerability is about ThroughTek’s P2P SDK, which controls remote access to cameras via the Internet. This is used to track video streams, for example. This vulnerability has been discovered by security researchers from Nozomi Networks. Through this loophole, attackers can gain access to normally compartmentalized information.

IP cameras with the SDK are used in particular in industrial control, and if attackers exploit the vulnerabilities here, this can have unforeseen consequences. The prerequisite for access by an unauthorized attacker is access to the camera’s network traffic. According to the security researchers, it would be possible to reconstruct the data traffic using a fixed key. It would then also be possible to restore video streams.

Security warning from ThroughTek

By means of a security warning, ThroughTek has pointed out the secured version (3.1.10) of the SDK, but it is not possible for end users to determine whether their own camera is affected by the vulnerability. The reason for this is that the SDK provider is one of many software suppliers for various IP camera manufacturers. In this area, the market is not manageable.

The secured SDK unfortunately does nothing for an affected model, because a wounded SDK has already been created on the corresponding camera. So first a new SDK would have to be deployed by the manufacturer, new software would have to be created and then delivered with update. Whether this is the case is rather questionable, here users have to rely on the manufacturer. But even the manufacturers usually have no idea what exactly is used, since the components were merely bought in.

For secure use, IP cameras that are used for surveillance should not be accessible via the Internet. Security researchers only advise this if the manufacturer can prove the security of the P2P implementation by means of documentation.