Critical vulnerabilities in millions of Internet of Things (IoT) devices, including security cameras, baby monitors and other video recording equipments, could allow attackers to compromise devices remotely, allowing them to watch, listen to live audio and compromise credentials for further attacks based on exposed device functionality.
Cybersecurity company Mandiant along with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek disclosed the vulnerabilities in IoT devices that use the ThroughTek Kalay network.
This vulnerability has been assigned a CVSS3.1 base score of 9.6 and is tracked as CVE-2021-28372 and FEYE-2021-0020. ThroughTek lists more than 83 million active devices and over 1.1 billion monthly connections on their platform. This latest vulnerability allows attackers to communicate with devices remotely. As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution.
Researchers disassembled applications from both the Google Play Store and Apple App Store that included ThroughTek libraries. The team performed local and hardware-based attacks to obtain shell access, recover firmware images, and perform additional dynamic testing. They have developed a fully functional implementation of ThroughTek’s Kalay protocol, which enabled the team to perform key actions on the network, including device discovery, device registration, remote client connections, authentication, and most importantly, process audio and video (“AV”) data.
The firm strongly encourages users of IoT devices to keep device software and applications up to date and use complex, unique passwords for any accounts associated with these devices. Upgrading to the Kalay protocol’s latest 3.3.10 version is recommended to secure devices and networks.