Up to 83M IoT devices at risk of remote access

Dive Brief:

The Cybersecurity and Infrastructure Security Agency, in coordination with Mandiant, disclosed a critical risk vulnerability that could allow malicious actors to remotely access millions of IoT devices that use the ThroughTek "Kalay" network.
The vulnerability could allow a hacker to remotely watch real-time video, listen to live audio or gain remote access to credentials that could be used in future attacks, according to a blogpost from Mandiant researchers. Researchers were unable to put together a comprehensive list of affected products and manufacturers, but ThroughTek's platform works with a range of products that include IoT camera makers, smart baby monitors and digital video recorders.
"Cybercriminals could use a working exploit to create a botnet, steal sensitive data from victims or extort them into paying money, while nation-state actors could potentially use this vulnerability to perform mass surveillance on Kalay network users," Dillon Franke, associate consultant, proactive services at Mandiant Consulting told Cybersecurity Dive via email.

Dive Insight:

In a coordinated effort between Mandiant and CISA, officials warned the vulnerability could allow malicious actors to essentially gain remote access to IoT devices.

Mandiant originally discovered the vulnerability during independent security research into IoT cameras that began in September 2020, unrelated to any client work, according to Franke. The firm bought several smart devices that used the Kalay network and examined the on-device firmware, associated mobile applications and captured network traffic to understand how the Kalay protocol worked.

Kalay works with more than 83 million active devices and has more than 1.1 billion monthly connections on its platform, according to Mandiant. While most of the products impacted are designed for the consumer market, depending on what device they use, businesses could also be affected.

Mandiant researchers are not aware of any active exploitation in the wild, nor are they aware of any other parties that have developed a working exploit of the vulnerability, Franke said. Mandiant will not be releasing its proof-of-concept code, according to Franke.

The vulnerability, tracked at CVE-2021-28372 and FEYE-2021-0020, was assigned a CVSS3.1 base score of 9.6. The Common Vulnerability Scoring System is a way to measure the potential risk to a vulnerability, ranging from zero to 10, with 10 being the highest risk.

Eric Goldstein, executive assistant director of cybersecurity at CISA, said the agency is imploring all users and product manufacturers and vendors to follow the mitigation steps included in its advisory.

ThroughTek notified customers that used an outdated SDK to update the firmware with a patch fix released in 2018 and enable AuthKey and DTLS in order to minimize the risk of sensitive information being released. The company issued an advisory in June.

"We consider cybersecurity seriously and take security measures while developing our products, for example we are developing our software via a conventional spiral software development model and agile process with ISO 27001 assessment," said Yi-Ching Chen, a member of the ThroughTek's product security incident response team.

This newly disclosed vulnerability may seem similar to a recent vulnerability involving Nozomi Networks, however that one involved improper encryption for data in transit, according to Franke.

A Gartner analyst questioned whether the new security warnings contain enough specific information to help users take the proper steps in order to mitigate the vulnerability.

"This is a good reminder that we know live in a world surrounded by unsecure cyber-physical systems and that all organizations need to shift their mindset around security as a result," Katell Thielemann, VP analyst at Gartner said.