A flaw in internet-connected security cameras can allow attackers to remotely watch what is recorded and breach networks while at it. The vulnerability was discovered and detailed by researchers at FireEye Mandiant, who say it relates to the Kalay network offered by ThroughTek.
Kalay is the hub that users leverage to connect smart devices with mobile apps. It is offered to original equipment manufacturers as an SDK (software development kit).
According to ThroughTek, Kalay has more than 83 million active devices on its network, with more than 1.1 billion connections. The devices comprise IoT devices, smart baby monitors, digital video recording devices, and various cameras.
Named CVE-2021-28372, the flaw was first discovered in late 2020 and scored 9.6 on the Common Vulnerability Scoring System, which is considered critical.
The Mandiant researchers wrote an interface for creating and manipulating Kalay requests and responses, which allowed them to identify local and flow vulnerabilities in the communication. Additionally, they could register and identify devices in a way that made attacks possible.
With the ability to reveal the identity, the attacker could obtain the Kalay client device’s unique identifier to register with Kalay servers, gaining access to the device.
The vulnerability is so severe that the Department of Homeland Security’s Cybersecurity and Infrastructure Agency issued an ICS advisory with Mandiant.
The research unit and ThroughTek recommended that the companies using the Kalay protocol upgrade to version 3.2.10, at the very least. The advisory also recommends they enable Kalay features like AuthKey and DTLS.
This vulnerability and its implications remind us that the prevalence of IoT is far beyond our current abilities, which needs to change.