Researchers at Mandiant’s Red Team discovered a bug in the ThroughTek Kalay IoT cloud platform that is affecting tens of thousands of devices. The issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network. A remote attacker could leverage the vulnerability to take control of the device or gain access to the live audio and video streams. Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. Researchers found that registering a device on the Kalay network required only the device’s unique identifier (UID). The Kalay client, such as the mobile application, usually receives the UID from the API hosted by the vendor of the IoT device. Obtaining the UIDs is also a task that requires some effort from the attacker (social engineering, exploiting other vulnerabilities). Once obtained, the attacker could use the UID to register a device on the Kalay network as if they control it which in turn gives them credentials to give them remote access to the device. The researchers say that this type of access combined with vulnerabilities in the device-implemented RPC (Remote Procedure Call) interface can lead to complete device compromise.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased