Mandiant, CISA urge ThroughTrek customers to fix software bug in millions of baby monitors, cameras
A flaw in software used by millions of smart home devices could allow hackers to intercept audio and video data on equipment such as baby monitors and web cameras, security researchers said Tuesday.
The vulnerability is in a software protocol made by Taiwanese internet of things (IoT) vendor ThroughTek, which has customers including the Chinese electronics giant Xiaomi. ThroughTek says 83 million devices made by other brands, such as the camera vendor Wyze, run its software.
To exploit the flaw, an attacker would need “comprehensive knowledge” of the software protocol, and to obtain unique identifiers used by the targeted device, according to Mandiant, a division of FireEye, which discovered the issue. With that access, a hacker could communicate with devices remotely, potentially leading to follow-on hacks. The Department of Homeland Security plans to issue a public advisory to raise awareness of the security issue, Mandiant said.
Yi-Ching Chen, an employee at ThroughTek’s Product Security Incident Response Team, said the firm had notified customers of the vulnerability and advised them on how to minimize security risks stemming from it.
“We consider cybersecurity seriously and take security measures while developing our products,” Chen said in an email. “We have a dedicated software test team to assure our software is built with great quality and security and perform penetration tests periodically.”
It’s the latest example in the long-running struggle to secure the IoT devices that are found throughout homes in the digital age. It follows another revelation in April of two dozen vulnerabilities discovered in software that’s embedded in equipment like smart TVs and wearable devices.
“Many consumers trust that the devices they place inside their homes will be secure by default,” said Jake Valletta, director of proactive services at Mandiant. “However, our research repeatedly indicates that security is not a priority for those implementing IoT devices and protocols.”
Some governments have begun to require vendors to adhere to minimum security standards, after years of relatively little attention on the issue. Congress, for example, last year passed long-awaited legislation that would set security requirements for IoT vendors that contract with the U.S. government.
However security issues in the IoT industry run deep, and a single vulnerability often affects multiple vendors.
Like a lot of third-party software running on IoT devices, for example, the ThroughTek protocol is integrated into equipment manufacturers and resellers, making it difficult to discern just how many devices might be affected by the flaw.
Mandiant advised users to update their software and take additional steps to mitigate the risk of the vulnerability being exploited.
It would be the second time in as many months that DHS’s Cybersecurity and Infrastructure Security Agency issued an advisory on a ThroughTek vulnerability. The agency previously warned about a flaw in ThroughTek software that exposed data sent from camera feeds to ThroughTek servers.