Webcams, Baby Monitors, and More: Flaw on 83 Million Devices Allows Hackers to Eavesdrop and Take Over Devices

By B.N. Frank

Internet of Things (IoT) technology has been described as the “Internet of Vulnerable Things” for good reason. So far its vulnerability has compromised hundreds of millions of critical devices and infrastructure (see 1, 2, 3, 4).

Thanks to Threatpost for reporting another unfortunate situation.

Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop

A remote attacker could exploit a critical vulnerability to eavesdrop on live audio & video or take control. The bug is in ThroughTek’s Kalay network, used in 83m devices.

Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things (IoT) devices – one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors.

The flaw, tracked as CVE-2021-28372 and FEYE-2021-0020 and assigned a critical CVSS3.1 base score of 9.6, was found in devices connected via ThroughTek’s Kalay IoT cloud platform.

The alarm was sounded on Tuesday by Mandiant, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek. Mandiant’s Red Team discovered the vulnerability in late 2020.

“CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately,” according to Mandiant’s post. “Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.”

The world has already been inundated with tales of what can happen when these kind of devices are misconfigured or riddled with vulnerabilities, and this just adds to the growing pile of scary headlines. For example, in February, a vulnerability affecting multiple baby monitors was found to expose hundreds of thousands of live devices, potentially allowing someone to drop in and view a camera’s video stream.

As Mandiant explained, the flaw would enable adversaries “to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.”

In a Tuesday post, researchers Jake Valletta, Erik Barzdukas and Dillon Franke – who discovered the bug – explained that it’s impossible to compile a comprehensive list of companies and products affected, given how the Kalay protocol is integrated by manufacturers and resellers before devices reach consumers. Though they couldn’t come up with a definitive list of affected companies and products that implement the Kalay platform, they strongly advised users of IoT devices “to keep device software and applications up to date and use complex, unique passwords for any accounts associated with these devices.”

Mandiant also recommends that device owners avoid connecting to affected devices from untrusted networks, such as public Wi-Fi: a recommendation that’s already part of wireless best practices, as the National Security Agency (NSA) recently advised in a public service announcement (PDF).

Kalay: A Newly Unappealing Handshake

According to ThroughTek, “Kalay” is an indigenous Dawu word that means “handshake,” “symbolizing the universal link in an interconnected world.”

ThroughTek implements that handshake – the Kalay protocol – as a software development kit (SDK). The Kalay SDK provides a plug-and-play network to easily connect smart devices with corresponding mobile apps.

The researchers provided an illustration that gives an example of how it works: The figure below shows a typical device registration process and client connection on the Kalay network. In this example, a user remotely accesses their home network’s Kalay-enabled camera on a mobile app from a remote network: for example, a user would view their home camera’s feed while in a coffee shop or on a mobile phone network

Kalay flow. Source: Mandiant.

How Many Devices Are Affected? Impossible to Say

To get a high-level view of the scope of potentially affected products and companies, researchers pointed to ThroughTek’s advertising, which boasts of supporting upwards of 83 million active devices and more than 1.1 billion monthly connections on the platform. ThroughTek also supports 250 systems-on-a-chip (SOCs): the microchips that contain all the necessary electronic circuits and parts for small consumer electronic devices, such as smartphones or wearable computers.

Mandiant said that affected Kalay products include IoT camera manufacturers, smart baby monitors, and Digital Video Recorder (DVR) products.

Researchers noted that this ThroughTek bug is worse than the critical Nozomi Networks vulnerability disclosed in May: a bug that was already quite severe in that it laid open millions of connected cameras, leaving them prey to having remote attackers get at camera feeds. But besides eavesdropping, this latest Kalay vulnerability means that devices could be remotely controlled by people who have no business tinkering with other people’s baby monitors, webcams or other IoT gadgets, Mandiant said.

“This latest vulnerability allows attackers to communicate with devices remotely,” researchers explained. “As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution.”

How the Bug Works…

Read full article

Also check out the free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

Hardwired internet connections are more secure and safer than wireless connections (see 1, 2, 3, 4). Grassroots organization, Whatis5G.Info, has identified 9 ways that IoT and controversial 5G technology will harm humans, the environment, and Earth:

Health – The robust and growing independent science shows harms to our health from microwave radiation
Privacy – The invasion of our privacy from the collection and mining of our digital data
Cyber Security -The fast growing and devastating cyber security risks
Environment – The harms to wildlife, particularly bees, butterflies and other pollinators
Energy – The huge energy consumption to produce and power a wireless Internet of Things
Brains and Humanity – The effects on our brains and humanity from humans increasingly inhabiting the cyber world
E-Waste – The astronomical e-waste that will be generated from connecting virtually every “thing” to the Internet
Conflict Minerals – 5G and the IoT will vastly grow our dependence on conflict minerals, which have brought about the death of close to 6 million people
Ethics — Ethical issues arising from the IoT. New human rights laws are being being considered; how should humans relate to robots and AI? The blurring of what was once a clear delineation between technology and humans

Despite all of the above, IoT applications along with 5G are still being installed in U.S. communities and around the world (see 1, 2, 3, 4). Crazy, right?