One loophole is Lurking in multiple types of smart devices—including security cameras, DVRs, and even baby monitors—may allow attackers to access real-time video and audio streams via the Internet, and even remotely control gadgets completely. To make matters worse, it is not limited to a single manufacturer; it appears in a software development kit that penetrates more than 83 million devices—more than 1 billion Internet connections are made every month.
The SDK in question is ThroughTek Kalay, which provides a plug-and-play system for connecting smart devices with their corresponding mobile applications. The Kalay platform proxies the connection between the device and its application, handles authentication, and sends commands and data back and forth. For example, Kalay provides built-in functions to coordinate security cameras and applications that can remotely control the camera angle. Researchers from the security company Mandiant discovered this serious vulnerability at the end of 2020, and they publicly disclosed it today with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Bureau.
Jake Valletta, the director of Mandiant, said: “You built Kalay in it. This is the glue and functionality that these smart devices need.” “Attackers can connect to the device at will, retrieve audio and video, and then use remote APIs to perform such as triggering. Firmware update, change the camera’s pan angle or restart the device, etc. And the user doesn’t know what’s wrong.”
The flaw exists in the registration mechanism between the device and its mobile application. The researchers found that this most basic connection depends on the “UID” of each device, which is a unique Kalay identifier. An attacker who knows the UID of the device (Valletta says it can be obtained through social engineering attacks or by searching the network vulnerabilities of a given manufacturer) and an attacker who has some knowledge of the Kalay protocol can re-register the UID and basically hijack the connection next time someone When trying to legally access the target device. Users experience a delay of a few seconds, but from their point of view, everything will proceed normally.
However, an attacker can obtain special credentials set by each manufacturer for its device—usually random, unique usernames and passwords. With the UID plus this login, the attacker can remotely control the device through Kalay without any other hacking or manipulation. Attackers may also use full control of embedded devices (such as IP cameras) as a starting point to penetrate the target network.
By exploiting this vulnerability, an attacker can watch the video source in real time, possibly viewing sensitive security footage or peeking at the crib. They can launch a denial of service attack on them by turning off the camera or other gadgets. Or they can install malicious firmware on the target device. In addition, because the attack is carried out by obtaining credentials and then using Kalay to remotely manage the embedded device, the victim will not be able to evict the intruder by wiping or resetting their device. The hacker can simply relaunch the attack.
As with many IoT security crashes, determining where the error exists is far from fixing it. ThroughTek is just one part of a huge ecosystem that needs to participate in resolving vulnerabilities. Manufacturers add Kalay to their products, which may then be purchased by another company and sold under a specific brand name. This means that although ThroughTek has released a fix to fix the vulnerability, it is difficult to know exactly how many companies rely on Kalay and need to distribute updates.
The researchers did not release details about their analysis of the Kalay protocol or the details of how to exploit the vulnerability. They said they have not seen evidence of real-world use, and their goal is to raise awareness of the problem without providing a roadmap to the real attacker. ThroughTek did not respond to WIRED’s request for comment. In June, the company Released Fixed the vulnerabilities in Kalay version 3.1.10. Mandiant researchers recommend that manufacturers upgrade to this version or higher and enable two Kalay products: encrypted communication protocol DTLS and API authentication mechanism AuthKey.