ThroughTek’s Kalay is used to manage security cameras, baby monitors, DVRs and more. Newly discovered flaws allow attackers to view, eavesdrop, and steal recordings from hardware sold by dozens of vendors.
Kalay, a P2P IoT protocol developed by Taiwanese company ThroughTek, has serious security issues. A remote attacker can exploit it to use a protocol to control a device completely, but barely visible.
The problem is also not minor: Security advisory Published by the US Cyber Security and Infrastructure Security Agency (CISA), it assigns a severity score of 9.6 on the CVSS v3 scale. This is the best at 10. This vulnerability is less complex, affects more than 83 million devices and is of increasing severity.
FireEye’s Mandiant Security Research Group is responsible Disclosure, First discovered in late 2020.Mandiant said the new vulnerability is different from the flatfish vulnerability Discovered by Nozomi Networks Reported with researchers in May 2021.
look: Security Incident Response Policy (TechRepublic Premium)
The vulnerability itself includes device spoofing by obtaining the Kalay device identification code. Once intercepted, an attacker can register the device with the local Kalay server. This overwrites the existing device and forwards future connection attempts to the fake device. If successful, the attacker can access live video and audio feeds, as well as further compromise the device for use in additional attacks.
Who is at risk of attacks caused by Kalay?
When such exploitable and widespread vulnerabilities are reported, it is imperative to distribute news promptly so that affected parties can update their devices. In this case, it needs attention.
ThroughTek uses Kalay White label SDKUnfortunately, many IoT devices that use Kalay and ThrougTek components do not have the ThroughTek or Kalay brand.
“Before the device reaches the consumer, how the original equipment manufacturer (OEM) and resellers integrate the Kalay protocol makes Mandiant a complete product and enterprise affected by the vulnerabilities found. I can’t identify the list, “Mandiant said in a disclosure blog. director.
One of ThroughTek’s biggest customers is Chinese technology company Xiaomi, In the 2020 press release During the COVID-19 pandemic, we started working with the “Top 10 Baby Care Camera Manufacturers in the World”.Other than that, ThroughTek has pretty tight lips in its place 83 million devices We have established 1.1 billion monthly connections running on 250 supported SoCs.
The CISA said five versions of Kalay will be affected.
- Version 3.1.5 or earlier
- SDK version with “nossl” tag
- Firmware that does not use AuthKey for IOTC connection
- Firmware that uses the AVAPI module without enabling DTLS
- Firmware using P2P Tunnel or RDT
According to ThroughTek, AuthKey and DTLS must be enabled if you are using Kalay 3.1.10 or later, upgrade to library 220.127.116.11 or 18.104.22.168 if you are using an older version, and AuthKey DTLS must be enabled.
look: How to Manage Passwords: Best Practices and Security Tips (Free PDF) (TechRepublic)
“With the rapid development of information technology, it is especially difficult to protect the cybersecurity of products and services from malicious attacks,” says ThroughTek. As a best practice, if you are using a baby monitor, IoT camera, or DVR, we recommend that you check for firmware updates and learn more about the protocol you are using.
https://www.techrepublic.com/article/83-million-devices-using-the-kalay-protocol-are-at-risk-for-remote-takeover-are-yours/#ftag=RSS56d97e7 Eighty-three million devices that use the Kalay protocol are at risk of remote takeover. Is it yours?