- Finally, a luxury soundbar that's compact and delivers immersive audio (and it's $300 off)
- From Alerts to Action: How AI Empowers SOC Analysts to Make Better Decisions
- Herencia, propósito y creatividad confluyen sobre un manto tecnológico en los irrepetibles UMusic Hotels
- OpenAI, SoftBank, Oracle lead $500B Project Stargate to ramp up AI infra in the US
- 오픈AI, 700조원 규모 'AI 데이터센터' 프로젝트 착수··· 소프트뱅크·오라클 참여
Critical Bug Could Allow Remote Snooping Via Millions of Devices
Security researchers have found yet another critical IoT supply chain vulnerability affecting millions of devices, which could enable attackers to eavesdrop on real-time camera feeds.
Mandiant revealed the CVE-2021-28372 bug yesterday after reporting it to the Cybersecurity and Infrastructure Security Agency (CISA).
It affects devices using the “Kalay” platform from Taiwanese firm ThroughTek, which makes software for OEMs to use in IP cameras, baby and pet monitoring cameras, digital video recorders (DVRs) and more.
Although Mandiant wasn’t able to ascertain exactly how many devices are affected, the firm warned that, according to ThroughTek, more than 83 million are currently using Kalay.
The news comes just a couple of months after Nozomi Networks discovered a critical bug in the ThroughTek P2P SDK. However, unlike that flaw, this one allows threat actors to communicate with devices remotely, opening the door to remote code execution attacks, Mandiant claimed.
That said, exploitation is far from easy.
“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs,” the security firm explained.
“From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”
Mandiant worked closely with ThroughTek on vulnerability disclosure, and both they and CISA recommend any organizations using Kalay to upgrade to new version 3.1.10 without delay. Affected firms are also urged to enable DTLS, which protects data in transit, and AuthKey, which adds an extra layer of authentication during client connection.
Andy Norton, European cyber risk officer at Armis, warned that IoT devices are increasingly the weakest link in the corporate security chain.
“Despite IoT devices carrying very similar risks to organizations, there is currently a lack of mitigating controls in comparison to IT devices,” he added.
“Understanding the purpose of an IoT device and monitoring for changes to the way it behaves … is the current state of the art method for IoT device risk management.”
