The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on Friday, Issued an advisory about a critical vulnerability in the ThroughTek software that is being used in the devices, including baby monitoring cameras, which may give hackers access to audio and video streams, and Its feeds.

In addition to possible leakage of data, and video, and the company acknowledges that the vulnerability could allow an attacker to could also allow attackers to spoof devices and hijack device certificates. CISA gave the vulnerability a score of 9.1 out of 10 on the CVSS vulnerability severity scale. 

The ThroughTek, point-to-point-to-point (P2P) SDK, is widely used in IoT devices, video surveillance, and audio /video capabilities, including IP-based cameras, a child and a pet, surveillance cameras, smart devices, and sensors to remotely access media content on the Internet. 

ThroughTek’s point-to-point (P2P) SDK is widely used by IoT devices with video surveillance or audio/video transmission capability such as IP cameras, baby and pet monitoring cameras, smart home appliances, and sensors to provide remote access to the media content over the internet.

Security Company, Nozomi Networks, found that vulnerability in the P2P file sharing SDK ThroughTek, and then sent them a Notice about the vulnerability ThroughTek. The notice prompted CISA to release its statement saying the vulnerability was remotely exploitable and was not complex to attack. The P2P functionality allows users to look at audio and video streams through the internet. 

In a statement, Taiwan-headquartered ThroughTek said: “This vulnerability has been addressed in SDK version 3.3 and onwards, which was released at mid-2020. We strongly suggest that you review the SDK version applied to your product and follow the instructions below to avoid any potential problems.

“On this note, we would like to encourage you to keep a close watch on our future SDK releases in response to new security threats.”

Since the vulnerability affects a software Component that is a part of the supply chain for OEMs of consumer-grade surveillance cameras, and IoT devices and the consequences of such action is effective and can be dangerous to the safety of the device, allowing an attacker to view sensitive audio and/or video Stream.