Mandiant, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), and Internet of Things provider ThroughTek have disclosed a critical vulnerability affecting millions of IoT devices that could let attackers spy on video and audio feeds from Web cameras, baby monitors, and other devices.
CVE-2021-28372 was discovered by Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke, and it exists in several versions of ThroughTek's Kalay protocol. It has been assigned a CVSS score of 9.6.
The Kalay protocol is implemented as a software development kit (SDK) that is built into client software, such as a mobile or desktop application, and networked IoT devices such as smart cameras. ThroughTek claims to have more than 83 million active devices and at least 1.1 billion monthly connections on its platform, and its clients include IoT camera manufacturers, smart baby monitors, and digital video recorder (DVR) products.
Because the Kalay protocol is integrated by OEMs and resellers before devices reach consumers, the researchers who discovered the vulnerability were unable to determine a complete list of devices and organizations it affects.
This isn't the first ThroughTek flaw disclosed this year. In May 2021, researchers with Nozomi Networks disclosed a security camera vulnerability affecting a software component from ThroughTek. Unlike this flaw, CVE-2021-28372 allows attackers to communicate with devices remotely and in doing so, control devices and potentially conduct remote code execution.
Mandiant researchers used two approaches to analyze the protocol. They first downloaded and disassembled applications from Google Play and the Apple App Store that contained ThroughTek libraries. They also bought different Kalay-enabled devices, on which they conducted local and hardware-based attacks to obtain shell access, recover firmware images, and perform more dynamic testing.
Over a series of months, the team created a functional implementation of the Kalay protocol and with this, they were able to perform device discovery, device registration, remote client connections, authentication, and process audio and video data on the network. Their familiarity with the protocol allowed them to then focus on identifying logic and flow vulnerabilities in it.
CVE-2021-28372 affects how Kalay-enabled devices access and join the Kalay network, the Mandiant team explains in a blog post on their findings. They found device registration only requires a device's 20-byte unique assigned identifier (UID) to access a network. The UID is usually provided to a Kalay-enabled device from a Web API hosted by the product's seller.
If attackers gain access to the UID of a target device, they can register that device with the same UID on the network and cause the Kalay servers to overwrite the existing device. With this done, attempts at a client connection to access the victim UID will redirect to the attackers. The attackers can continue the connection and access the username and password needed to log in to the device.
"With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute [remote procedure call] calls," the researchers write. "Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise."
A successful attack would require "comprehensive knowledge of the Kalay protocol" as well as the ability to create and send messages, researchers note. The attackers would need to obtain Kalay UIDs via social engineering or vulnerabilities in the APIs and services that return Kalay UIDs. This would allow them to attack devices linked to the UIDs they have.
Mitigations for Vulnerable Devices
Mandiant disclosed the vulnerability along with ThroughTek and CISA. Organizations using the Kalay protocol are advised to adopt the following guidance from ThroughTek and Mandiant:
If the implemented SDK is below version 3.0, upgrade the library to version 220.127.116.11 or version 18.104.22.168 and enable the Authkey and Datagram Transport Layer Security (DTLS) features the Kalay platform provides. If the implemented SDK is version 3.1.10 or above, enable Authkey and DTLS. Companies are also advised to review the security they have in place on APIs or other services that return Kalay UIDs.
Mandiant urges IoT device owners to keep their software and applications up to date and use complex, unique passwords for accounts associated with their devices. Further, they should avoid connecting to vulnerable devices from untrusted networks, such as public Wi-Fi.
For manufacturers, the company recommends ensuring IoT device manufacturers apply controls around Web APIs used to obtain Kalay UIDs, usernames, and passwords, as this would decrease attackers' ability to access the data they need to remote access target devices.
"CVE-2021-28372 poses a huge risk to an end user's security and privacy and should be mitigated appropriately," the researchers write. "Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device."
CISA has also issued an advisory warning of the ThroughTek flaw.