This nasty security vulnerability could turn millions of smart devices into spying tools

(Image credit: Shutterstock / rudall30)

A security vulnerability has been identified in software deployed across millions of internet-connected devices with audio and video functionality.

According to researchers at Nozomi Networks, the flaw could allow attackers to effectively turn smart devices - such as baby monitors, home security cameras or smart doorbells - into spying tools.

In a business context, meanwhile, the security flaw could be exploited to gain access to sensitive employee and customer data, or gather intel on production techniques.

The bug has been awarded a severity rating of 9.1/10 as per the Common Vulnerability Scoring System (CVSS), due to the wide scope and low complexity of the exploit.

IoT security vulnerability

The offending software component, known as P2P, is developed by a company called ThroughTek. In legitimate scenarios, the P2P SDK is used by manufacturers to build remote access functionality into IoT devices.

The vulnerability is said to affect P2P SDK versions 3.1.5 and prior, as well as any versions with the nossl tag. ThroughTek remedied the issue with version 3.3, rolled out in mid-2020, but a significant proportion of devices are thought to be running out-of-date builds.

A proof-of-concept developed by Nozomi demonstrates that older versions of the P2P SDK allow for data packets to be intercepted in transit and then decrypted. These packets can then be reconstructed into complete audio or video streams.

In a blog post, ThroughTek suggests an attacker would require a deep knowledge of network security, network sniffer tools and the encryption algorithm in order to execute the attack. And the researchers also conceded that it would be difficult for an attacker to identify which IoT devices are vulnerable and which not.

Nonetheless, manufacturers that utilize the P2P SDK are advised to upgrade to the latest version immediately to shield against attack.

“The most chilling reminder with this research is that despite all the technical advances in connected devices, and our reliance on them during the past year’s lockdown, IoT is still racked with insecurity,” said Nozomi.

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.