A critical security flaw has been identified in ThroughTek’s Kalay IoT cloud platform which could be exploited by remote attackers to intercept live video and audio streams and take control of IoT devices.
According to ThroughTek, its Kalay IoT network supports more than 83 million active devices with over 1.1 billion monthly connections. Affected devices include IoT cameras, digital video recorders (DVRs), and smart baby monitors. ThroughTek also supports around 250 systems-on-a-chip (SoCs), which are incorporated into small consumer electronic devices such as smartphones and wearable devices.
The Kalay protocol is usually implemented as a Software Development Kit (SDK), which clients build into their software. Unfortunately, the extent to which devices are affected is impossible to determine due to the way that the Kalay protocol is integrated by original equipment manufacturers (OEMs) and resellers before the devices are purchased by consumers.
The bug was discovered by Mandiant Red Team security researchers in late 2020, who have been working with ThroughTek to mitigate the bug. Mandiant raised the alarm about the flaw on August 17, 2021 in coordination with the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
The flaw, tracked as CVE-2021-28372 and FEYE-2021-0020, has been assigned a CVSS severity score of 9.6 out of 10. In order to exploit the flaw, an attacker would require intimate knowledge of the Kalay protocol and would need to have the ability to send and receive messages. Kalay UIDs would also be needed by an attacker in order to exploit the flaw, which could be obtained using social engineering techniques for example, or by exploiting vulnerabilities in APIs or services that return Kalay UIDs.
“CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately,” said Mandiant. “Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.”
The vulnerability is a device impersonation flaw. Typically, the Kalay client – a mobile app for instance – receives the UID from a web API hosted by the IoT device vendor, as indicated in the diagram below:
Typical Connection to ThroughTek’s Kalay IoT cloud platform. Source: Mandiant
An attacker in possession of the UID of a target system could register a device on the Kalay network and intercept and control all client connection attempts. In addition to accessing real-time audio and video feeds, login credentials could be obtained that would give them remote access, allowing them to gain control of the devices.
Attack scenario capturing credentials. Source: Mandiant
Mandiant strongly recommends all companies that use the Kalay platform follow the mitigations it has provided in conjunction with ThroughTek to limit the potential for exploitation of the flaws.
Those mitigations include:
- Upgrading the library to version 3.3.1.0 or version 3.4.2.0 if SDK below version 3.1.10 is implemented, and also enabling the Authkey and Datagram Transport Layer Security (“DTLS”) features provided by the Kalay platform.
- If SDK version 3.1.10 or higher is implemented, Authkey and DTLS should be enabled.
- Security controls for APIs and other services that return Kalay unique identifiers should also be reviewed.
All users of IoT devices, even those that are not affected by the Kalay flaw, have been advised to ensure their devices are running the latest software version and to avoid connecting their devices to any untrusted networks, such as public Wi-Fi.