Critical Bug Could Allow Remote Snooping Via Millions of Devices

Written by

Security researchers have found yet another critical IoT supply chain vulnerability affecting millions of devices, which could enable attackers to eavesdrop on real-time camera feeds.

Mandiant revealed the CVE-2021-28372 bug yesterday after reporting it to the Cybersecurity and Infrastructure Security Agency (CISA).

It affects devices using the “Kalay” platform from Taiwanese firm ThroughTek, which makes software for OEMs to use in IP cameras, baby and pet monitoring cameras, digital video recorders (DVRs) and more.

Although Mandiant wasn’t able to ascertain exactly how many devices are affected, the firm warned that, according to ThroughTek, more than 83 million are currently using Kalay.

The news comes just a couple of months after Nozomi Networks discovered a critical bug in the ThroughTek P2P SDK. However, unlike that flaw, this one allows threat actors to communicate with devices remotely, opening the door to remote code execution attacks, Mandiant claimed.

That said, exploitation is far from easy.

“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs,” the security firm explained.

“From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”

Mandiant worked closely with ThroughTek on vulnerability disclosure, and both they and CISA recommend any organizations using Kalay to upgrade to new version 3.1.10 without delay. Affected firms are also urged to enable DTLS, which protects data in transit, and AuthKey, which adds an extra layer of authentication during client connection.

Andy Norton, European cyber risk officer at Armis, warned that IoT devices are increasingly the weakest link in the corporate security chain.

“Despite IoT devices carrying very similar risks to organizations, there is currently a lack of mitigating controls in comparison to IT devices,” he added.

“Understanding the purpose of an IoT device and monitoring for changes to the way it behaves … is the current state of the art method for IoT device risk management."

What’s hot on Infosecurity Magazine?