Latest News & Notices
Please Update the SDK Version to Minimize the Risk of Sensitive Information Being Accessed by Unauthorized Third-Party
Issue Time: August 2021
Dear Partners,
ThroughTek is aware of the security vulnerabilities in IOTC encryption and device validation which could permit a malicious third-party unauthorized access to sensitive information in transmission and on victim devices.
ThroughTek has focused its efforts on making mitigations and solutions for customers available as fast as possible and the related guidance has been updated as our understanding of the issue has evolved. We recommend customers adopt one of the following steps immediately:
- If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
- If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0, and enable AuthKey and DTLS.
More information is provided in the following Security Advisory. If you have any further questions, please contact your ThroughTek account manager.
ThroughTek-SA-51721: Security Vulnerabilities in IOTC Encryption and Device Validation
Publication Date: July 20, 2021
Last Update: August 13, 2021
VULNERABILITY DESCRIPTION
The affected ThroughTek P2P SDK outdated versions released prior to v3.1.10 (released by 2018) do not sufficiently protect data transferred between the local device and ThroughTek servers. This can allow an attacker to access sensitive information, such as camera feeds. Lack of device validation, an attacker could also remotely compromise victim ThroughTek-enabled devices and access the audio/video data on victim devices.
RISKS
- Device Spoofing
- Credential Hijacking
- Data Snippet
AFFECTED PRODUCTS AND VERSIONS
- SDK versions below 3.1.10
- SDK versions with nossl tag
- Device firmware that does not use AuthKey for IOTC connection
- Device firmware using the AVAPI module without enabling DTLS mechanism
- Device firmware that uses P2PTunnel or RDT module
MITIGATIONS AND SOLUTIONS
ThroughTek has identified the following specific mitigations that customers can adopt to reduce the risks:
- If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
- If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.
For more in-depth technical guidance, please contact your ThroughTek account manager.
GENERAL SECURITY RECOMMENDATION
With the rapid development of information technology, safeguarding the cybersecurity of the products and services from malicious attacks is particularly challenging. Therefore, ThroughTek strongly encourages our customers to update SDK as new versions become available in response to security threats.
REFERENCES: CVE-2021-32934 / ICSA-21-166-01 and CVE-2021-28372/ ICSA-21-229-01