Vulnerabilities in Kalay Platform Leave IoT Devices Defenseless Against Security Threats

A vast number of baby monitors, web cameras, and DVRs are compromised thanks to a vulnerability that appears in 83 million devices. 

Researchers at FireEye’s Mandiant have discovered a critical security threat, tracked as CVE-2021-28372, in a core component of the Kalay cloud platform. The technology is not just limited to a single manufacturer; it is present in an SDK utilized by millions of IoT devices.

A remote attacker can easily exploit the flaw to take over an IoT device. The only thing the hacker needs is the Kalay unique identifier (UID) of their target.

A report from the company states that Mandiant was not able to create a comprehensive list of affected devices. “An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages,” the document further states.

“You build Kalay in, and it’s the glue and functionality that these smart devices need,” says Jake Valletta, a director at Mandiant. “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.” Once the attacker connects the UID of their target device, the Kalay servers overwrite the existing device. The connection will be directed to the attacker, who then can obtain the credentials the victim uses to gain access to the unit. The hacker can even eavesdrop audio and video from the compromised devices.

Many of the tech that utilize Kalay’s platform are video surveillance products, such as baby monitors and IP cameras. The attacker can also harness RPC (remote procedure call) functionality to take over the device completely.

RPC functionality, according to Mandiant’s report, is typically used for device telemetry and firmware updates. Other than remotely connecting to and taking over the compromised hardware, hackers can also “access AV data, and execute RPC calls.” 

ThroughTek, the company that developed the cloud IoT platform, has released SDK updates to address the flaw. The company recommends its customers to enable AuthKey and DTLS immediately. Older models must upgrade device libraries to maximize performance. Otherwise, further attacks are possible, depending on the functionality exposed by a device.

Security threats continue to loom in IoT devices across the world, and consumers must remain vigilant and up-to-date on these attacks. Until then, more people will be vulnerable to security threats that could compromise their personal privacy. 

IoT Innovator Newsletter

Get the latest updates and industry news in your inbox! Enter your email address and name below to be the first to know.