A newly discovered vulnerability that could affect 83 million IoT devices allows an attacker to listen to live audio, watch real-time video data, compromise device credentials for further attacks or remotely control devices, according to new research.
According to Mandiant, a subsidiary of cybersecurity firm FireEye, the IoT vulnerability is in the ThroughTek Kalay network, a protocol implemented as a software development kit built into client software and networked IoT devices, including smart camera manufacturers, smart baby monitors and digital video recorder (DVR) products.
Mandiant cited a previous IoT vulnerability published by Nozomi Networks in 2021, but this new vulnerability allows attackers to communicate with devices remotely, which could lead to remote control of devices and potentially remote code execution.
To pull it off, an attacker would need extensive knowledge of the Kalay protocol and the ability to generate and send messages. An adversary would also need to obtain Kalay UIDs through social engineering or other IoT vulnerabilities in APIs or services that return Kalay UIDS, Mandiant says in the report.
Then, an attacker can remotely compromise affected devices that correspond to those UIDs, the report says.
According to ThroughTek, the Kalay platform was developed as a point-to-point connection technology to help manufacturers make products that offer a variety of modular features that are easily operated, have stable connections and offer enhanced security through firmware integration.
It was upgraded in late 2019 with a new decentralized architecture to create more efficient connections, simplify the integration process and reinforce data security.
“Kalay 2.0 enables integration of video surveillance equipment, smart consumer products, and a variety of sensors to allow brand name manufacturers, telecoms providers, system integrators, hardware manufacturers, and other service providers to offer smart solutions that are safer, more convenient, and more flexible for users to enjoy,” ThroughTek says on its website.
Mandiant was unable to give a complete list of products and companies impacted, but ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on the platform.
According to Mandiant, it worked with the U.S. Cybersecurity and Infrastructure Security Agency to disclose the IoT vulnerability.
Organizations using the Kalay platform should do the following, Mandiant says:
- If the implemented SDK is below version 3.1.10, upgrade the library to version 220.127.116.11 or version 18.104.22.168 and enable the Authkey and Datagram Transport Layer Security (“DTLS”) features provided by the Kalay platform.
- If the implemented SDK is version 3.1.10 and above, enable Authkey and DTLS.
- Review security controls in place on APIs or other services that return Kalay unique identifiers (“UIDs”).