ThroughTek’s Kalay is used to manage security cameras, baby monitors, DVRs and more. A newly discovered flaw lets attackers watch, listen and steal recordings from hardware sold by dozens of vendors.
Kalay, a P2P IoT protocol developed by Taiwanese company ThroughTek, has a serious security problem: Remote attackers are able to exploit it in order to give them total, yet nearly invisible, control over devices using the protocol.
The problem isn’t a minor one, either: A security advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) assigns it a severity score of 9.6 on the CVSS v3 scale, which tops out at 10. The vulnerability is low in complexity and affects more than 83 million devices, adding to its severity.
FireEye’s Mandiant security research group is responsible for the disclosure, which was first discovered in late 2020. Mandiant said that the new vulnerability is distinct from the Kalay vulnerability discovered by Nozomi Networks researchers and reported in May 2021.
SEE: Security incident response policy (TechRepublic Premium)
The vulnerability itself involves device impersonation by obtaining Kalay device identification codes. Once intercepted, attackers can register the device with the local Kalay server, which overwrites the existing device and directs future connection attempts to the false device. If successful, an attacker would gain access to live video and audio feeds as well as the ability to further compromise the device for use in additional attacks.
Who is at risk for a Kalay-triggered attack?
When a vulnerability this easy to exploit and widespread is reported, it’s essential to disseminate news quickly to affected parties so that they can update their devices. That’s tricky in this case.
ThroughTek markets Kalay as a white-label SDK, which unfortunately means that many of the IoT devices using Kalay and ThrougTek components don’t have any ThroughTek or Kalay branding.
“Due to how the Kalay protocol is integrated by original equipment manufacturers (“OEMs”) and resellers before devices reach consumers, Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability,” Mandiant said in its disclosure blog post.
One of ThroughTek’s largest customers is Chinese tech company Xiaomi, and it also mentioned in a 2020 press release that it began working with “the world’s top ten Baby Care Cameras manufacturers” during the COVID-19 pandemic. Other than that, ThroughTek is fairly tight-lipped on where its 83 million devices are making 1.1 billion connections per month operating on 250 supported SoCs.
CISA said five versions of Kalay are affected:
- Versions 3.1.5 and prior
- SDK versions with the “nossl” tag
- Firmware that does not use AuthKey for IOTC connections
- Firmware using the AVAPI module without enabling DTLS
- Firmware using P2PTunnel or RDT
ThroughTek said that those using Kalay 3.1.10 or above should enable AuthKey and DTLS, while those using older versions should upgrade to library 126.96.36.199 or 188.8.131.52, as well as enabling AuthKey and DTLS.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
“With the rapid development of information technology, safeguarding the cybersecurity of the products and services from malicious attacks is particularly challenging,” ThroughTek said. As a best practice, if you use a baby monitor, IoT camera, or DVR it’s a good time to check for firmware updates and learn more about what protocols yours are using.