This nasty security vulnerability could turn millions of smart devices into spying tools

IoT security bug could allow attackers to access confidential audio and video feeds

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A security vulnerability has been identified in software deployed across millions of internet-connected devices with audio and video functionality.

According to researchers at Nozomi Networks, the flaw could allow attackers to effectively turn smart devices - such as baby monitors,home security camerasorsmart doorbells- into spying tools.

In a business context, meanwhile, the security flaw could be exploited to gain access to sensitive employee and customer data, or gatherintelon production techniques.

The bug has been awarded a severity rating of 9.1/10 as per the Common Vulnerability Scoring System (CVSS), due to the wide scope and low complexity of the exploit.

IoT security vulnerability

The offending software component, known as P2P, is developed by a company called ThroughTek. In legitimate scenarios, the P2P SDK is used by manufacturers to build remote access functionality into IoT devices.

The vulnerability is said to affect P2P SDK versions 3.1.5 and prior, as well as any versions with the nossl tag. ThroughTek remedied the issue with version 3.3, rolled out in mid-2020, but a significant proportion of devices are thought to be running out-of-date builds.

A proof-of-concept developed by Nozomi demonstrates that older versions of the P2P SDK allow for data packets to be intercepted in transit and then decrypted. These packets can then be reconstructed into complete audio or video streams.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

In ablog post, ThroughTek suggests an attacker would require a deep knowledge of network security, network sniffer tools and the encryption algorithm in order to execute the attack. And the researchers also conceded that it would be difficult for an attacker to identify which IoT devices are vulnerable and which not.

Nonetheless, manufacturers that utilize the P2P SDK are advised to upgrade to the latest version immediately to shield against attack.

“The most chilling reminder with this research is that despite all the technical advances in connected devices, and our reliance on them during the past year’s lockdown, IoT is still racked with insecurity,” said Nozomi.

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He’s responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

Phishing attacks surge in 2024 as cybercriminals adopt AI tools and multi-channel tactics