Top IoT platform vulnerabilities put 100+ million devices at risk — security cameras and baby monitors under threat

Installer in uniform puts security camera on wall fastening and connects it to system with cable. Man installs cameras in house. Concept of CCTV cameras, monitoring, safety and privacy.
(Image credit: Shutterstock / Frame Stock Footage)

Several vulnerabilities have been identified by Bitdefender in the ThroughTek Kalay Platform, upon which huge numbers of devices rely upon for IoT integration.

The flaws have severe ramifications for vendors further down the supply chain, with a number of prominent security cameras for businesses and domestic use suffering from a chain of vulnerabilities that provide root access from the local networks, and in some cases fully compromise the device.

The impacted cameras have been identified as the Owlet Cam v1 and v2, Roku Indoor Camera SE, and Wyze Cam v3.

Vulnerabilities through the lens

Supply chain attacks are becoming an increasingly lucrative target for threat actors, and not just for IoT devices. By finding vulnerabilities in software at the top of the supply chain, it is possible to exploit a range of software, services and devices further down the chain.

In this case, the software at the top is the ThroughTek Kalay platform which powers over 100 million devices around the globe, many of which are security oriented devices such as surveillance cameras.

The vulnerabilities identified by Bitdefender for this platform are tracked as CVE-2023-6321, which allows an authenticated user to run system commands as the root user leading to full compromise of the device, and CVE-2023-6322, which enables attackers to gain root access through a stack-based buffer overflow vulnerability in the handler of an IOCTL message, typically employed in configuring motion detection zones in cameras.

Further vulnerabilities, tracked as CVE-2023-6323 and CVE-2023-6324, can be combined with the aforementioned in a number of stacked combinations to allow attackers to gain access to the devices. The first allows a local attacker to leak the AuthKey secret by impersonating the P2P cloud server used by the device, with the second vulnerability allowing a local attacker to infer the pre-shared key for a DTLS session by forcing an empty buffer.

These vulnerabilities were first spotted by Bitdefender on October 19 2023, and have since been patched by their individual vendors. Bitdefender urges owners of the affected devices to ensure that all device updates are installed as and when they become available to mitigate existing and future vulnerabilities.

More from TechRadar Pro

Benedict Collins
Staff Writer (Security)

Benedict Collins is a Staff Writer at TechRadar Pro covering privacy and security. Benedict is mainly focused on security issues such as phishing, malware, and cyber criminal activity, but also likes to draw on his knowledge of geopolitics and international relations to understand the motivations and consequences of state-sponsored cyber attacks. Benedict has a MA in Security, Intelligence and Diplomacy, alongside a BA in Politics with Journalism, both from the University of Buckingham.