Latest News & Notices

Please Update the SDK Version to Minimize the Risk of Sensitive Information Being Accessed by Unauthorized Third-Party

Issue Time: August 2021

Dear Partners,

ThroughTek is aware of the security vulnerabilities in IOTC encryption and device validation which could permit a malicious third-party unauthorized access to sensitive information in transmission and on victim devices.

ThroughTek has focused its efforts on making mitigations and solutions for customers available as fast as possible and the related guidance has been updated as our understanding of the issue has evolved. We recommend customers adopt one of the following steps immediately:

If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;

If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0, and enable AuthKey and DTLS.

More information is provided in the following Security Advisory. If you have any further questions, please contact your ThroughTek account manager.

ThroughTek-SA-51721: Security Vulnerabilities in IOTC Encryption and Device Validation

Publication Date: July 20, 2021

Last Update: August 13, 2021

VULNERABILITY DESCRIPTION

The affected ThroughTek P2P SDK outdated versions released prior to v3.1.10 (released by 2018) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. Lack of device validation, an attacker could also remotely compromise victim ThroughTek-enabled devices and access the audio/video data on victim devices.

RISKS

Device Spoofing
Credential Hijacking
Data Snippet

AFFECTED PRODUCTS AND VERSIONS

SDK versions below 3.1.10
SDK versions with nossl tag
Device firmware that does not use AuthKey for IOTC connection
Device firmware using the AVAPI module without enabling DTLS mechanism
Device firmware that uses P2PTunnel or RDT module

MITIGATIONS AND SOLUTIONS

ThroughTek has identified the following specific mitigations that customers can adopt to reduce the risks:

If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.

For more in-depth technical guidance, please contact your ThroughTek account manager.

GENERAL SECURITY RECOMMENDATION

With the rapid development of information technology, safeguarding the cybersecurity of the products and services from malicious attacks is particularly challenging. Therefore, ThroughTek strongly encourages our customers to update SDK as new versions become available in response to security threats.

REFERENCES: CVE-2021-32934 / ICSA-21-166-01 and CVE-2021-28372/ ICSA-21-229-01

More Latest News & Notices

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data. Like many websites, TUTK analyzes log file information and other data collected through cookies, web beacons, and other tracking technology, to collect information about your browsing behavior when you visit our website, including for example, your browser type, domains, page views, IP address, referring/exit pages, information about how you interact with our websiite’s webpages and with third-party links, traffic and usage trends on the service, etc. We use session cookies to keep you logged in while you use features of our websites; these disappear after you close your browser. We also use persistent cookies, which stay in your browser and allow us to recognize you when you return to our websites. We use this to remember your information so you will not have to re-enter it, to better understand how you use our website and products and services. In some of our email messages, we use a “click-through URL” linked to content on the Site. We track this click-through data to help us measure the effectiveness of our customer communications. We also use third-party analytics tools (including Google Analytics) to assist us with analyzing and improving our service. Most Internet browsers automatically accept cookies, but you may be able to change the settings of your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you set your browser to reject cookies, parts of our websites may not work for you. Please note, depending on your type of device or browser, it may not be possible to delete or disable all tracking mechanisms on your device.