Security vulnerabilities in millions of Internet of Things (IoT) devices, including connected security cameras, smart baby monitors and other digital video recording equipment, could allow cyber attackers to compromise devices remotely, allowing them to watch and listen to live feeds, as well as compromise credentials to prepare the ground for further attacks. The vulnerabilities in IoT devices that use the ThroughTek Kalay network have been disclosed by the cybersecurity company Mandiant, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA). The Common Vulnerability Scoring System (CVSS) gave this a score of 9.6 which classifies it as a critical vulnerability. Upgrading to the latest version of the Kalay protocol (3.1.10) is highly recommended to protect devices and networks from attacks.
Mandiant hasn’t been able to compile a comprehensive list of all the affected devices, ThroughTek’s own figures suggest that 83 million connected devices are connected through the Kalay network. Researchers were able to combine dissembling ThroughTek libraries via official apps with developing a fully functional implementation of ThroughTek’s Kalay protocol. This allowed key actions to be taken, including device discovery, device registration, remote client connections, authentication, and the processing of audio and video data. By writing an interface for creating and manipulating Kalay requests and responses, researchers could identify logic and flow vulnerabilities in the Kalay protocol most notably, the ability to identify and register devices in a way that allows attackers to compromise them.
Attackers achieve this by obtaining the Kalay-enabled client devices uniquely assigned identifier, which can be discovered via web APIs like mobile applications. Once they’ve obtained the UID of a device, they can register it, which causes Kalay servers to overwrite the existing device, directing attempts to connect to the device into the path of the attacker. By doing this, attackers can obtain the username and password needed to access the device, which they can then use to access it remotely where they can monitor audio and video data in real time. Not only is this a massive privacy violation for the users but compromised devices in enterprise settings could allow attackers to snoop on sensitive discussions and meetings, potentially providing them with additional means of compromising networks. There’s also the potential for devices to be recruited into a botnet and used to conduct DDoS attacks.
Mandiant is working with vendors who use the Kalay protocol to help protect devices from the vulnerability, and recommends that no matter the manufacturer, IoT users should regularly apply patches and updates to devices to ensure they’re protected against known vulnerabilities. The IoT solutions provider says they are continuously upgrading sufficient software and cloud service to provide higher security mechanisms to apply in devices, connections, and the client app. Although they cannot limit what API/function that developers will use in their SDK, ThroughTek will strengthen their educational training and make sure their customers use it correctly to avoid a further security breach. The have also been working with CISA to mitigate this vulnerability.