Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cloud Security

Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability

Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.

Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.

The flaw was found in a core component of the Kalay cloud platform for IoT devices offered by ThroughTek, a Taiwan-based company that provides IoT and M2M solutions for surveillance, security, smart home, cloud storage, and consumer electronics systems.

Mandiant researchers discovered in late 2020 that the platform, which is used by millions of IoT devices from many vendors, is affected by a critical vulnerability that can be exploited to remotely hack affected systems. Since many of the impacted devices are video surveillance products — this includes IP cameras, baby monitors and digital video recorders — exploiting the vulnerability could allow an attacker to intercept live audio and video data.

The vulnerability is tracked as CVE-2021-28372 and it has been assigned a CVSS score of 9.6. In order to exploit it, an attacker needs to somehow obtain the Kalay unique identifier (UID) of the targeted user. An attacker could obtain this UID using social engineering, or through other methods.

Dillon Franke, one of the Mandiant researchers who discovered the vulnerability, told SecurityWeek that while the UID cannot be obtained through brute-forcing, there are other ways to obtain the data, including for mass attacks.

“Mandiant has discovered vendor-specific endpoints that could allow an attacker to enumerate valid UIDs. Additionally, an attacker on a public network such as airport wifi could capture and decode a victim connecting to their Kalay device to obtain the victim’s UID. Therefore, mass attacks are possible,” Franke explained. “Mandiant has also seen end users sharing their UIDs on social media and public support forums.”

Once the attacker obtains the UID, they need to send a specially crafted request to the Kalay network to register another device with the same UID on the network, which causes Kalay servers to overwrite the existing device. The attacker then has to wait for the victim to access their device. Now that the attacker has registered the UID, the victim’s connection will be directed to the attacker, enabling them to obtain the credentials used by the victim to access the device.

“For example, a victim user viewing their camera feed through a mobile application using the Kalay SDK would be routed to the attacker, who could obtain the device credentials,” Franke said.

Advertisement. Scroll to continue reading.

Once they have the victim’s credentials, the hacker can not only access audio and video data, but also abuse RPC (remote procedure call) functionality, which is typically implemented for firmware updates, device control, and telemetry.

“Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise,” Mandiant warned.

Mandiant has published a blog post and an advisory describing its findings, but it has not made public any proof-of-concept (PoC) exploit code.

ThroughTek has released SDK updates that address the vulnerability. In addition, the company has advised customers to enable AuthKey (for an extra layer of authentication) and DTLS (to protect data in transit) to reduce the risk of attacks.

The same updates and mitigations were recommended by the vendor in June in response to research conducted by industrial and IoT cybersecurity firm Nozomi Networks, whose researchers also discovered a serious vulnerability in the ThroughTek solution.

Related: Devices From Many Vendors Can Be Hacked Remotely Due to Flaws in Realtek SDK

Related: Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.