Researchers at Mandiant’s Red Team discovered a bug in the ThroughTek Kalay IoT cloud platform that is affecting tens of thousands of devices. The issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network. A remote attacker could leverage the vulnerability to take control of the device or gain access to the live audio and video streams. Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. Researchers found that registering a device on the Kalay network required only the device’s unique identifier (UID). The Kalay client, such as the mobile application, usually receives the UID from the API hosted by the vendor of the IoT device. Obtaining the UIDs is also a task that requires some effort from the attacker (social engineering, exploiting other vulnerabilities). Once obtained, the attacker could use the UID to register a device on the Kalay network as if they control it which in turn gives them credentials to give them remote access to the device. The researchers say that this type of access combined with vulnerabilities in the device-implemented RPC (Remote Procedure Call) interface can lead to complete device compromise.
Analyst Notes
In another security advisory published ThroughTek provided advice on how to mitigate the risks, including:
• “If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS (Datagram Transport Layer Security) to protect data in transit;
• If using ThroughTek SDK the older versions before v3.1.10, please upgrade the library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.”
It is also recommended to review the security controls defined by the APIs or other services that can return the UID of devices. Because many manufactures of IoT devices use the Kalay network, it is hard to identify a full list of affected devices. It is recommended that the owners of devices make sure they keep the devices up to date with the latest security patches and never set up the devices on a network that is open to the public. CISA released a security advisory with mitigation practices that can be found here: https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01
https://www.bleepingcomputer.com/news/security/critical-bug-impacting-millions-of-iot-devices-lets-hackers-spy-on-you/
