Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop
A remote attacker could exploit a critical vulnerability to eavesdrop on live audio & video or take control. The bug is in ThroughTek’s Kalay network, used in 83m devices.
Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things (IoT) devices – one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors.
The alarm was sounded on Tuesday by Mandiant, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek. Mandiant’s Red Team discovered the vulnerability in late 2020.
“CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately,” according to Mandiant’s post. “Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.”
The world has already been inundated with tales of what can happen when these kind of devices are misconfigured or riddled with vulnerabilities, and this just adds to the growing pile of scary headlines. For example, in February, a vulnerability affecting multiple baby monitors was found to expose hundreds of thousands of live devices, potentially allowing someone to drop in and view a camera’s video stream.
As Mandiant explained, the flaw would enable adversaries “to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.”
In a Tuesday post, researchers Jake Valletta, Erik Barzdukas and Dillon Franke – who discovered the bug – explained that it’s impossible to compile a comprehensive list of companies and products affected, given how the Kalay protocol is integrated by manufacturers and resellers before devices reach consumers. Though they couldn’t come up with a definitive list of affected companies and products that implement the Kalay platform, they strongly advised users of IoT devices “to keep device software and applications up to date and use complex, unique passwords for any accounts associated with these devices.”
Mandiant also recommends that device owners avoid connecting to affected devices from untrusted networks, such as public Wi-Fi: a recommendation that’s already part of wireless best practices, as the National Security Agency (NSA) recently advised in a public service announcement (PDF).