A serious vulnerability in the Kalay cloud platform has been discovered, exposing millions of IoT devices to cyberattacks.
The major vulnerability, named CVE-2021-28372, was identified by FireEye’s Mandiant researchers in a core component of the Kalay cloud platform, which is used by millions of IoT devices from several of vendors.
A remote attacker can easily exploit the flaw to take control of an IoT device.
The sole piece of information required for the attack is the targeted user’s Kalay unique identifier (UID), which may be obtained through social engineering.
Mandiant was unable to compile a comprehensive list of vulnerable devices; nevertheless, according to ThroughTek’s website, the Kalay platform currently has over 83 million active devices.
An attacker would need a thorough understanding of the Kalay protocol as well as the capacity to create and deliver messages.
He’d also need Kalay UIDs obtained via social engineering or other flaws in APIs or services that return Kalay UIDs.
The attacker might then use the obtained UIDs to remotely hack the devices that match the UIDs.
The hacker might use the UID of a targeted device to make a specially crafted request to the Kalay network to register another device with the same UID.
The existing device will then be overwritten by the Kalay servers.
Once the victim connects the device, his connection will be diverted to the attacker, who will be able to gain the victim’s credentials for accessing the device.
The platform is mostly used by video surveillance equipment like IP cameras and baby monitors.
The attacker might use this weakness to listen in on audio and video conversations.
The attacker might also exploit the device’s RPC (remote procedure call) functionality to take complete control of it.
This varies in each device; however, it is commonly used for telemetry, firmware upgrades, and device control.
To resolve the issue, ThroughTek, the firm that created the cloud IoT platform, has published SDK updates.
It is suggested that all customers enable AuthKey and DTLS.
Customers are encouraged to take one of the following actions right away:
- If using ThroughTek SDK v3.1.10 and above, enable AuthKey and DTLS;
- If using ThroughTek SDK the older versions prior to v3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0, and enable AuthKey and DTLS.
According to the researchers, the flaw poses a significant risk to an end user’s security and privacy and should be addressed immediately.
Unprotected devices, such as IoT cameras, can be remotely compromised given access to a UID, and depending on the functionality offered by the device, more attacks are possible.
You might also like:
Ford bug reveals customer and employee data from internal systems
Glowworm Attack Turns LED Flickers into Audio
Kaseya’s universal REvil decryption key leaked: Report