Sunday, September 19, 2021

Video surveillance community hacked by researchers to hijack footage – Bare Safety

Researchers at security company Mandiant have written up a report about a device-hijack bug in a video sharing and surveillance network called Kalay.

Operated by Chinese smart device company ThroughTek, Kalay (which apparently means “handshake” in the Dawu language) is pitched as a cloud-based solution for vendors of home automation devices, including security cameras, smart locks, video doorphones, smart power plugs, and even personal cloud storage hardware such as NAS devices.

According to ThroughTek:

[Kalay c]onnects numerous home automation devices, enabling users to monitor and control their systems based on usage scenarios and daily habits.

More generally, the company says:

[Kalay] enables integration of video surveillance equipment, smart consumer products, and a variety of sensors to allow brand name manufacturers, telecoms providers, system integrators, hardware manufacturers, and other service providers to offer smart solutions that are safer, more convenient, and more flexible for users to enjoy.

As you can see, the idea is that instead of creating their own protocol, setting up their own servers and building their own home automation service, home device makers can build the Kalay software into their own firmware, and use the existing Kalay network so their customers can manage and access the devices.