A bug impacting millions of IoT devices lets hackers SPY on you

by

Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek’s Kalay IoT cloud platform.

The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app.

A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device.

Hijacking device connections

Researchers at Mandiant’s Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications.

Mandiant’s Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek’s Kalay protocol and found that registering a device on the Kalay network required only the device’s unique identifier (UID).

Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device.

The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise.

Proof-of-concept (PoC) exploit code

https://youtu.be/PBiW-rg8-LE

 

Mitigation options for devs and owners

In a security advisory published on July 20 for another critical vulnerability in its SDK (CVE-2021-32934), and updated on August 13, ThroughTek provides guidance that customers can follow to mitigate the risks associated with CVE-2021-28372:

  • If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS (Datagram Transport Layer Security) to protect data in transit;
  • If using ThroughTek SDK the older versions before v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.

Source: THN