Lucene search

K
thnThe Hacker NewsTHN:5F0BF3B286FABC4330F3CD1158E8A64C
HistoryAug 18, 2021 - 3:48 p.m.

Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

2021-08-1815:48:00
The Hacker News
thehackernews.com
16

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

54.5%

ThroughTek

A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution.

Tracked as CVE-2021-28372 (CVSS score: 9.6) and discovered by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point (P2P) products, successful exploitation of which could result in the “ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality.”

“Successful exploitation of this vulnerability could permit remote code execution and unauthorized access to sensitive information, such as to camera audio/video feeds,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) noted in an advisory.

There are believed to be 83 million active devices on the Kalay platform. The following versions of Kalay P2P SDK are impacted -

  • Versions 3.1.5 and prior
  • SDK versions with the nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware using the AVAPI module without enabling DTLS mechanism
  • Device firmware using P2PTunnel or RDT module

The Taiwanese company’s Kalay platform is a P2P technology that allows IP cameras, light cameras, baby monitors, and other internet-enabled video surveillance products to handle secure transmission of large audio and video files at low latency. This is made possible through the SDK – an implementation of the Kalay protocol – that’s integrated into mobile and desktop apps and networked IoT devices.

IoT Devices

CVE-2021-28372 resides in the registration process between the devices and their mobile applications, specifically concerning how they access and join the Kalay network, enabling attackers to spoof a victim device’s identifier (called UID) to maliciously register a device on the network with the same UID, causing the registration servers to overwrite the existing device and route the connections to be mistakenly routed to the rogue device.

UPCOMING WEBINAR

[Shield Against Insider Threats: Master SaaS Security Posture Management

](<https://thn.news/I26t1VFD&gt;)

Worried about insider threats? We’ve got you covered! Join this webinar to explore practical strategies and the secrets of proactive security with SaaS Security Posture Management.

Join Today

“Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker,” the researchers said. “The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device. With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls.”

IoT Devices

However, it’s worth pointing out that an adversary would require “comprehensive knowledge” of the Kalay protocol, not to mention obtain the Kalay UIDs through social engineering or other vulnerabilities in APIs or services that could be taken advantage of to pull off the attacks.

To mitigate against any potential exploitation, it’s recommended to upgrade the Kalay protocol to version 3.1.10 as well as enable DTLS and AuthKey to secure data in transit and add an additional layer of authentication during client connection.

The development marks the second time a similar vulnerability has been disclosed in ThroughTek’s P2P SDK. In June 2021, CISA issued an alert warning of a critical flaw (CVE-2021-32934) that could be leveraged to access the camera audio and video feeds through improper means.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

8.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

7.6 High

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

54.5%

Related for THN:5F0BF3B286FABC4330F3CD1158E8A64C