A vulnerability in ThroughTek's Kalay network could allow adversaries to listen to live audio and watch real-time video on millions of IoT devices, according to coordinated advisories by Mandiant and the Cybersecurity and Infrastructure Security Agency (CISA).
While the disclosures were released Tuesday, the bug was initially discovered by researchers on Mandiant's red team in late 2020. Threat researchers Jake Valletta, Erik Barzdukas and Dillon Franke contributed to Mandiant's threat research blog, which detailed the vulnerability. Valletta is credited with first discovering the bug, which is tracked as CVE-2021-28372 and received a CVSS of 9.6 out of 10. It affects several versions of ThroughTek's Kalay peer-to-peer (P2P) software development kit (SDK), including versions 3.1.5 and prior.
Successful exploitation could permit remote code execution and access to sensitive data such as audio and video feeds. Additionally, Mandiant said it could be used to gain remote access to credentials to be used in future attacks.
To date, there are no known public exploits specifically targeting the vulnerability.
ThroughTek released its own statement this month confirming it was aware of the security vulnerability, though it did not provide details about the nature of the flaw. The statement explained that outdated versions of the ThroughTek P2P SDK released by 2018 do not sufficiently protect data transferred between the local device and ThroughTek servers.
"ThroughTek has focused its efforts on making mitigations and solutions for customers available as fast as possible and the related guidance has been updated as our understanding of the issue has evolved," the statement said.
ThroughTek software is deployed worldwide, so customer impact could be substantial. According to CISA's advisory, the Taiwan-based software vendor supplies multiple OEMs of IP cameras with P2P connections as part of its cloud platform. Mandiant's disclosure stated that ThroughTek has more than 83 million active devices and over 1.1 billion monthly connections on that platform. Clients include IoT camera manufacturers, smart baby monitors and digital video recording products.
A complete list of affected products and companies is difficult to determine. Mandiant attributes that to how the "Kalay protocol is integrated by OEMs and resellers before devices reach consumers."
In an email to SearchSecurity, Franke said Mandiant is working with several vendors to ensure proper mitigations are in place and, therefore, declined to provide any device-specific information about vulnerable products and manufacturers. "Additionally, because the Kalay platform is intended to be used transparently and is bundled as part of the OEM manufacturing process, Mandiant was not able to create a complete list or breakdown of affected devices, geographic regions or industry verticals impacted," Franke said.
While analyzing the Kalay protocol over the course of several months, researchers determined the vulnerability could lead to device impersonation. Additionally, they determined that the bug affects how Kalay-enabled devices access and join the Kalay network. According to the Mandiant blog post, researchers found that the device registration process requires only the device's 20-byte uniquely assigned identifier (UID) to access the network.
"If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker," the blog post said.
Franke said the nature of the technology posed challenges for both the responsible disclosure process, which was much longer than the traditional 90 days, as well as mitigation. "Proprietary IoT protocols, such as Kalay, introduce new opportunities for things to go wrong from a security perspective," he said. "Users of these protocols often have no visibility into how they are implemented and rely on OEMs having good development and review practices. When these good practices do not occur, serious vulnerabilities can remain hidden for a long time and affect a large number of clients or devices when discovered."
Due to the extent of sensitive information that could be impacted if the vulnerability is exploited, mitigation is strongly recommended. Mandiant, CISA and ThroughTek advise companies using the Kalay protocol to upgrade to at least version 3.1.190 and enable two Kalay features: Datagram Transport Layer Security, which protects data in transit, and AuthKey, which adds an additional layer of authentication during client connection.
Additionally, CISA provided defensive measures to minimize the risk of exploitation, including minimizing network exposure for all control system devices or systems, locating control system networks and remote devices behind firewalls and isolating them from the business network.