Critical IoT security camera vulnerability allows attackers to remotely watch live video - and gain access to networks

Mandiant, CISA and ThroughTek disclose a vulnerability in millions of devices that could let attackers watch live camera feeds, create botnets or use hacked devices as a stepping stone to further attacks.

How these unusual smart devices can be hacked and what it means for the IoT

Security vulnerabilities in millions of Internet of Things (IoT) devices, including connected security cameras, smart baby monitors and other digital video recording equipment, could allow cyber attackers to compromise devices remotely, allowing them to watch and listen to live feeds, as well as compromise credentials to prepare the ground for further attacks.

The vulnerabilities in IoT devices that use the ThroughTek Kalay network have been disclosed by cybersecurity company Mandiant in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek.  

It's tracked as CVE-2021-28372 and carries a Common Vulnerability Scoring System (CVSS) score of 9.6 -- classifying it as a critical vulnerability. Upgrading to the latest version of the Kalay protocol (3.1.10) is highly recommended to protect devices and networks from attacks.  

SEE: A winning strategy for cybersecurity (ZDNet special report)

While Mandiant hasn't been able to compile a comprehensive list of all the affected devices, ThroughTek's own figures suggest that 83 million connected devices are connected through the Kalay network. 

Previous research by Nozomi Networks also found vulnerabilities in ThroughTek, but the new vulnerabilities disclosed by Mandiant are separate and allow attackers to execute remote code on devices. 

Researchers were able to combine dissembling ThroughTek libraries via official apps from both the Google Play Store and Apple App Store with developing a fully functional implementation of ThroughTek's Kalay protocol. This allowed key actions to be taken, including device discovery, device registration, remote client connections, authentication, and the processing of audio and video (AV) data. 

By writing an interface for creating and manipulating Kalay requests and responses, researchers could identify logic and flow vulnerabilities in the Kalay protocol -- most notably, the ability to identify and register devices in a way that allows attackers to compromise them.

Attackers achieve this by obtaining a Kalay-enabled client device's uniquely assigned identifier, which can be discovered via web APIs such as mobile applications. Once they've obtained the UID of a device, they can register it, which causes Kalay servers to overwrite the existing device, directing attempts to connect to the device into the path of the attacker. 

By doing this, attackers can obtain the username and password needed to access the device, which they can then use to access it remotely -- complete with the ability to monitor audio and video data in real time. 

"Once an attacker obtained UIDs, they could redirect client connections to themselves and obtain authentication materials to the device. From there, an attacker could watch device video, listen to device audio, and potentially compromise the device further depending on device functionality," Erik Barzdukas, manager of proactive services at Mandiant Consulting, told ZDNet. 

Not only is this a massive privacy violation for the users, particularly if the cameras and monitors are installed inside their own homes, but compromised devices in enterprise settings could allow attackers to snoop on sensitive discussions and meetings, potentially providing them with additional means of compromising networks.

There's also the potential for devices to be recruited into a botnet and used to conduct DDoS attacks

"This vulnerability could potentially allow for remote code execution on the victim device, which may be used maliciously in a variety of its own ways, like potentially creating a botnet out of the vulnerable devices or further attacking devices on the same network as the victim device," said Barzdukas.

Exploiting CVE-2021-28372 is complex and would require time and effort from an attacker. But that doesn't make it impossible, and the vulnerability is still considered critical by CISA.  

SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring

Mandiant is working with vendors who use the Kalay protocol to help protect devices from the vulnerability, and recommends that no matter the manufacturer, IoT users should regularly apply patches and updates to devices to ensure they're protected against known vulnerabilities. 

"Regardless of whether you own one of the impacted devices, Mandiant strongly recommends consumers and businesses with smart devices keep their devices and applications up to date," said Barzdukas. 

"Consumers and businesses need to set aside time -- at least once a month -- to check if their smart devices have any updates to install," he added. 

"As an IoT solution provider, we are continuously upgrading sufficient software and cloud service to provide higher security mechanisms to apply in devices, connections, and client app. Although we cannot limit what API/function that developers will use in our SDK, ThroughTek will strengthen our educational training and make sure our customers use it correctly to avoid a further security breach," a ThroughTek spokesperson told ZDNet.

"Also, we have been working with CISA to mitigate this vulnerability," they added.

Mandiant's security disclosure thanks ThroughTek -- and CISA -- "both for their cooperation and support with releasing this advisory and commitment to securing IoT devices globally."

MORE ON CYBERSECURITY