Researchers at FireEye’s Mandiant have discovered a critical vulnerability, tracked as CVE-2021-28372, in a core component of the Kalay cloud platform which is used by millions of IoT devices from many vendors.
The flaw could be easily exploited by a remote attacker to take over an IoT device, the only info needed for the attack is the Kalay unique identifier (UID) of the targeted user. The identifier could be obtained via social engineering.
“The vulnerabilities described in this post affect a core component of the Kalay platform. Mandiant was not able to create a comprehensive list of affected devices; however, ThroughTek’s website reports more than 83 million active devices on the Kalay platform at the time of writing this post.” states the report published by Mandiant. “An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”
An attacker that has obtained the UID of a targeted device could send a specially crafted request to the Kalay network to register another device with the same UID on the network. Then the Kalay servers will overwrite the existing device. Once the victim will connect the device, his connection will be directed to the attacker that could obtain the credentials used by the victim to access the device.
Most of the devices using the platform are video surveillance products such as IP cameras and baby monitors, an attacker could exploit this flaw to eavesdrop audio and video data.
The attacker could also use RPC (remote procedure call) functionality to completely take over the device.
“Equally as important as processing AV data, the Kalay protocol also implements remote procedure call (“RPC”) functionality. This varies from device to device but typically is used for device telemetry, firmware updates, and device control.” continues Mandiant. “With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls. Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise.”
ThroughTek, the company that developed the cloud IoT platform, has released SDK updates to address the flaw. The company recommends its customers to enable AuthKey and DTLS.
“We recommend customers adopt one of the following steps immediately:
“CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.” concludes the report.
(SecurityAffairs – hacking, CVE-2021-28372)