Security Experts:

Connect with us

Hi, what are you looking for?


Cloud Security

Millions of IoT Devices Exposed to Attacks Due to Cloud Platform Vulnerability

Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.

Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.

The flaw was found in a core component of the Kalay cloud platform for IoT devices offered by ThroughTek, a Taiwan-based company that provides IoT and M2M solutions for surveillance, security, smart home, cloud storage, and consumer electronics systems.

Mandiant researchers discovered in late 2020 that the platform, which is used by millions of IoT devices from many vendors, is affected by a critical vulnerability that can be exploited to remotely hack affected systems. Since many of the impacted devices are video surveillance products — this includes IP cameras, baby monitors and digital video recorders — exploiting the vulnerability could allow an attacker to intercept live audio and video data.

The vulnerability is tracked as CVE-2021-28372 and it has been assigned a CVSS score of 9.6. In order to exploit it, an attacker needs to somehow obtain the Kalay unique identifier (UID) of the targeted user. An attacker could obtain this UID using social engineering, or through other methods.

Dillon Franke, one of the Mandiant researchers who discovered the vulnerability, told SecurityWeek that while the UID cannot be obtained through brute-forcing, there are other ways to obtain the data, including for mass attacks.

“Mandiant has discovered vendor-specific endpoints that could allow an attacker to enumerate valid UIDs. Additionally, an attacker on a public network such as airport wifi could capture and decode a victim connecting to their Kalay device to obtain the victim’s UID. Therefore, mass attacks are possible,” Franke explained. “Mandiant has also seen end users sharing their UIDs on social media and public support forums.”

Once the attacker obtains the UID, they need to send a specially crafted request to the Kalay network to register another device with the same UID on the network, which causes Kalay servers to overwrite the existing device. The attacker then has to wait for the victim to access their device. Now that the attacker has registered the UID, the victim’s connection will be directed to the attacker, enabling them to obtain the credentials used by the victim to access the device.

“For example, a victim user viewing their camera feed through a mobile application using the Kalay SDK would be routed to the attacker, who could obtain the device credentials,” Franke said.

Once they have the victim’s credentials, the hacker can not only access audio and video data, but also abuse RPC (remote procedure call) functionality, which is typically implemented for firmware updates, device control, and telemetry.

“Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise,” Mandiant warned.

Mandiant has published a blog post and an advisory describing its findings, but it has not made public any proof-of-concept (PoC) exploit code.

ThroughTek has released SDK updates that address the vulnerability. In addition, the company has advised customers to enable AuthKey (for an extra layer of authentication) and DTLS (to protect data in transit) to reduce the risk of attacks.

The same updates and mitigations were recommended by the vendor in June in response to research conducted by industrial and IoT cybersecurity firm Nozomi Networks, whose researchers also discovered a serious vulnerability in the ThroughTek solution.

Related: Devices From Many Vendors Can Be Hacked Remotely Due to Flaws in Realtek SDK

Related: Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.