Skip to main content

Serious vulnerability turns home tech into spying tools

cybersecurity
(Image credit: Image Credit: Geralt / Pixabay)

Security researchers working with the Cybersecurity and Infrastructure Security Agency (CISA) have disclosed a critical vulnerability that affects millions of Internet of Things (IoT) devices.

Disclosed by security vendor Mandiant, the vulnerability impacts IoT devices that are powered by ThroughTek’s Kalay platform, which is often used by IoT camera manufacturers, as well as in smart baby monitors, and Digital Video Recorder (DVR) products.

“This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality,” explained Mandiant.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

IoT espionage

Notably, this isn’t the first time CISA has had to step in to help plug a critical vulnerability in ThroughTek devices. A vulnerability detected by Nozomi Networks equipped hackers with just about the same snooping capabilities as the current vulnerability, minus the ability to control affected devices remotely.

Giving a high-level overview of the latest vulnerability, the researchers explain that it can be exploited by attackers to remotely communicate with and even control the affected IoT devices.

“At the time of writing this blog post, ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on their platform,” say the researchers, who cannot pin down an exact number because of how the Kalay platform is integrated into devices.

Perhaps the only saving grace is that remotely compromising the affected devices isn’t straightforward. According to the researchers, an attacker would not only require comprehensive knowledge of the Kalay protocol, but will also have to trick users into handing over their Kalay unique identifiers (UID).

As such, the vulnerability earned a severity score of just 3.1/9.6 by the Common Vulnerability Scoring System (CVSS).

ThroughTek has already patched the vulnerability, and the researchers urge companies with products based on the Kalay platform to make sure they are using Kalay SDK v3.3.1.0 or v3.4.2.0, while also enabling the platform’s Authkey and Datagram Transport Layer Security (DTLS) features.

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.