A critical vulnerability was discovered in the Kalay cloud platform that exposes millions of IoT devices to attacks.
The researchers at FireEye’s Mandiant have discovered the critical vulnerability, dubbed CVE-2021-28372, in a core component of the Kalay cloud platform which is used by millions of IoT devices from many vendors.
It is easy for a remote attacker to exploit the flaw in order to take over an IoT device. The only info needed for the attack is the Kalay unique identifier (UID) of the targeted user which could be obtained via social engineering.
Mandiant was not able to create a comprehensive list of affected devices; however, ThroughTek’s website reports more than 83 million active devices on the Kalay platform as of now.
An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. He would also require Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.
After getting the UID of a targeted device, the hacker could send a specially crafted request to the Kalay network to register another device with the same UID on the network. Then the Kalay servers will overwrite the existing device. Once the victim will connect the device, his connection will be directed to the attacker that could obtain the credentials used by the victim to access the device.
Most of the devices using the platform are video surveillance products such as IP cameras and baby monitors. The attacker could exploit this flaw to eavesdrop audio and video data.
The attacker could also use RPC (remote procedure call) functionality to completely take over the device. This varies from device to device but typically is used for device telemetry, firmware updates, and device control.
ThroughTek, the company that developed the cloud IoT platform, has released SDK updates to address the flaw. All the customers are recommended to enable AuthKey and DTLS.
The customers are advised to adopt one of the following steps immediately:
- If using ThroughTek SDK v3.1.10 and above, enable AuthKey and DTLS;
- If using ThroughTek SDK the older versions prior to v3.1.10, upgrade library to v18.104.22.168 or v22.214.171.124, and enable AuthKey and DTLS.
The researchers concluded that the flaw poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.