Latest News & Notices

Please Update the SDK Version to Minimize the Risk of Sensitive Information Being Accessed by Unauthorized Third-Party

Issue Time: August 2021

Dear Partners,

ThroughTek is aware of the security vulnerabilities in IOTC encryption and device validation which could permit a malicious third-party unauthorized access to sensitive information in transmission and on victim devices.

ThroughTek has focused its efforts on making mitigations and solutions for customers available as fast as possible and the related guidance has been updated as our understanding of the issue has evolved. We recommend customers adopt one of the following steps immediately:

  • If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
  • If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0, and enable AuthKey and DTLS.

More information is provided in the following Security Advisory. If you have any further questions, please contact your ThroughTek account manager.

 

ThroughTek-SA-51721: Security Vulnerabilities in IOTC Encryption and Device Validation

Publication Date: July 20, 2021

Last Update: August 13, 2021

 

VULNERABILITY DESCRIPTION

The affected ThroughTek P2P SDK outdated versions released prior to v3.1.10 (released by 2018) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. Lack of device validation, an attacker could also remotely compromise victim ThroughTek-enabled devices and access the audio/video data on victim devices.

 

RISKS

  • Device Spoofing
  • Credential Hijacking
  • Data Snippet

 

AFFECTED PRODUCTS AND VERSIONS

  • SDK versions below 3.1.10
  • SDK versions with nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware using the AVAPI module without enabling DTLS mechanism
  • Device firmware that uses P2PTunnel or RDT module

 

MITIGATIONS AND SOLUTIONS

ThroughTek has identified the following specific mitigations that customers can adopt to reduce the risks:

  • If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
  • If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.

For more in-depth technical guidance, please contact your ThroughTek account manager.

 

GENERAL SECURITY RECOMMENDATION

With the rapid development of information technology, safeguarding the cybersecurity of the products and services from malicious attacks is particularly challenging. Therefore, ThroughTek strongly encourages our customers to update SDK as new versions become available in response to security threats.

 

REFERENCES: CVE-2021-32934 / ICSA-21-166-01 and CVE-2021-28372

 

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close