Mandiant researchers have identified a new critical vulnerability which is affecting millions of IOT devices which use ThroughTek “Kalay” network. The flaw which is tracked under CVE-2021-28372 can be exploited by the remote attacker with just UID of Kalay at the respective target.
The vulnerability which was identified “would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.” reads the blog post.
Mandiant was not able to provide list of affected devices, however they had pointed out the ThroughTek website which says that around 83 million are using kalay platform as on date.
“If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device.” reads the blog post.
AFFECTED PRODUCTS AND VERSIONS
- SDK versions below 3.1.10
- SDK versions with nossl tag
- Device firmware that does not use AuthKey for IOTC connection
- Device firmware using the AVAPI module without enabling DTLS mechanism
- Device firmware that uses P2PTunnel or RDT module
Customers are advised to follow below mitigations released by the vendor:
- If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS;
- If using ThroughTek SDK the older versions prior to v3.1.10, please upgrade library to v22.214.171.124 or v126.96.36.199 and enable AuthKey and DTLS.
–-For more Cyber security write-ups in crisp content . Please follow our site via twitter handle @cyberworkx1