Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.
The flaw was found in a core component of the Kalay cloud platform for IoT devices offered by ThroughTek, a Taiwan-based company that provides IoT and M2M solutions for surveillance, security, smart home, cloud storage, and consumer electronics systems.
Mandiant researchers discovered in late 2020 that the platform, which is used by millions of IoT devices from many vendors, is affected by a critical vulnerability that can be exploited to remotely hack affected systems. Since many of the impacted devices are video surveillance products — this includes IP cameras, baby monitors and digital video recorders — exploiting the vulnerability could allow an attacker to intercept live audio and video data.
The vulnerability is tracked as CVE-2021-28372 and it has been assigned a CVSS score of 9.6. In order to exploit it, an attacker needs to somehow obtain the Kalay unique identifier (UID) of the targeted user. An attacker could obtain this UID using social engineering, or through other methods.
Dillon Franke, one of the Mandiant researchers who discovered the vulnerability, told SecurityWeek that while the UID cannot be obtained through brute-forcing, there are other ways to obtain the data, including for mass attacks.
“Mandiant has discovered vendor-specific endpoints that could allow an attacker to enumerate valid UIDs. Additionally, an attacker on a public network such as airport wifi could capture and decode a victim connecting to their Kalay device to obtain the victim’s UID. Therefore, mass attacks are possible,” Franke explained. “Mandiant has also seen end users sharing their UIDs on social media and public support forums.”
Once the attacker obtains the UID, they need to send a specially crafted request to the Kalay network to register another device with the same UID on the network, which causes Kalay servers to overwrite the existing device. The attacker then has to wait for the victim to access their device. Now that the attacker has registered the UID, the victim’s connection will be directed to the attacker, enabling them to obtain the credentials used by the victim to access the device.
“For example, a victim user viewing their camera feed through a mobile application using the Kalay SDK would be routed to the attacker, who could obtain the device credentials,” Franke said.
Once they have the victim’s credentials, the hacker can not only access audio and video data, but also abuse RPC (remote procedure call) functionality, which is typically implemented for firmware updates, device control, and telemetry.
“Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise,” Mandiant warned.
Mandiant has published a blog post and an advisory describing its findings, but it has not made public any proof-of-concept (PoC) exploit code.
ThroughTek has released SDK updates that address the vulnerability. In addition, the company has advised customers to enable AuthKey (for an extra layer of authentication) and DTLS (to protect data in transit) to reduce the risk of attacks.
The same updates and mitigations were recommended by the vendor in June in response to research conducted by industrial and IoT cybersecurity firm Nozomi Networks, whose researchers also discovered a serious vulnerability in the ThroughTek solution.
Related: Devices From Many Vendors Can Be Hacked Remotely Due to Flaws in Realtek SDK
Related: Vulnerabilities in Open Design Alliance SDK Impact Siemens, Other Vendors