a vulnerability is lurking in numerous types of smart devices—including security cameras, DVRs, and even baby monitors—that could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. What's worse, it's not limited to a single manufacturer; it shows up in a software development kit that permeates more than 83 million devices, and over a billion connections to the internet each month.
The SDK in question is ThroughTek Kalay, which provides a plug-and-play system for connecting smart devices with their corresponding mobile apps. The Kalay platform brokers the connection between a device and its app, handles authentication, and sends commands and data back and forth. For example, Kalay offers built-in functionality to coordinate between a security camera and an app that can remotely control the camera angle. Researchers from the security firm Mandiant discovered the critical bug at the end of 2020, and they are publicly disclosing it today in conjunction with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
“You build Kalay in, and it's the glue and functionality that these smart devices need,” says Jake Valletta, a director at Mandiant. “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.”
The flaw is in the registration mechanism between devices and their mobile applications. The researchers found that this most basic connection hinges on each device's “UID,” a unique Kalay identifier. An attacker who learns a device's UID—which Valletta says could be obtained through a social engineering attack, or by searching for web vulnerabilities of a given manufacturer—and who has some knowledge of the Kalay protocol can reregister the UID and essentially hijack the connection the next time someone attempts to legitimately access the target device. The user will experience a few seconds of lag, but then everything proceeds normally from their perspective.
The attacker, though, can grab special credentials—typically a random, unique username and password—that each manufacturer sets for its devices. With the UID plus this login the attacker can then control the device remotely through Kalay without any other hacking or manipulation. Attackers can also potentially use full control of an embedded device like an IP camera as a jumping-off point to burrow deeper into a target's network.
By exploiting the flaw, an attacker could watch video feeds in real time, potentially viewing sensitive security footage or peeking inside a baby's crib. They could launch a denial of service attack against cameras or other gadgets by shutting them down. Or they could install malicious firmware on target devices. Additionally, since the attack works by grabbing credentials and then using Kalay as intended to remotely manage embedded devices, victims wouldn't be able to oust intruders by wiping or resetting their equipment. Hackers could simply relaunch the attack.
“The affected ThroughTek P2P products may be vulnerable to improper access controls,” CISA wrote in its Tuesday advisory. “This vulnerability can allow an attacker to access sensitive information (such as camera feeds) or perform remote code execution. … CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.”
As with many internet-of-things security meltdowns, though, identifying where the bug exists is a far cry from getting it fixed. ThroughTek is only one part of a massive ecosystem that needs to participate in addressing the vulnerability. Manufacturers incorporate Kalay in their products, which may then be bought by another company to be sold with a particular brand name. This means that while ThroughTek offers options that can be enabled to mitigate the flaw, it's difficult to know exactly how many companies rely on Kalay and need to turn these features on—if they are even running a new enough version of the SDK to do it.
The researchers are not releasing details about their analysis of the Kalay protocol or the specifics of how to exploit the vulnerability. They say they haven't seen evidence of real-world exploitation, and their goal is to raise awareness about the problem without handing real attackers a road map.
To defend against exploitation, devices need to be running Kalay version 3.1.10, originally released by ThroughTek in late 2018, or higher. But even the current Kalay SDK version (3.1.5) does not automatically fix the vulnerability. Instead, ThroughTek and Mandiant say that to plug the hole manufacturers must turn on two optional Kalay features: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.
“We have been informed by Mandiant of a vulnerability … which could permit a malicious third-party unauthorized access to sensitive information, and we have notified our customers and assisted the customers who used the outdated SDK to update the firmware of the devices,” says Yi-Ching Chen, a product security incident response team member at ThroughTek.
Chen adds, though, that it has been difficult to get customers to update en masse—an observation that tracks with Mandiant's findings. Three years after releasing a version of the SDK that contains options for stopping these types of attacks, Mandiant researchers stumbled on a massive population of devices that are still vulnerable.
“For the past three years, we have been informing our customers to upgrade their SDK,” ThroughTek's Chen says. “Some old devices lack OTA [over the air update] function which makes the upgrade impossible. In addition, we have customers who don’t want to enable the DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade.”
Mandiant's Valletta says that ThroughTek's late 2018 SDK version didn't come with adequate information for customers about how critical it was to update and proactively enable the two protective features. The company recently issued an alert in response to Mandiant's research that is more forceful.
“This is not a quick fix for many of ThroughTek's customers, so when it’s posed as an optional update, we anticipate many of them did not prioritize it, as they did not realize it was tied to mitigating a critical vulnerability," Valletta says.
Researchers from Nazomi Networks also recently disclosed a different Kalay vulnerability that could be exploited to access live audio and video feeds as well. And researchers have warned for years about the potential security implications of prefab IoT platforms like Kalay.
For regular users who may already have vulnerable devices in their homes or businesses, there's no complete list of impacted devices to work off of. You should simply install any available software updates on your embedded devices whenever possible. Mandiant's Valletta says he's hopeful that today's public disclosure will help raise awareness and get more large vendors to update Kalay in their products. But he says, realistically, fixes may never come to devices made by smaller companies, those who don't invest heavily in security, or those who buy their devices from white label providers and then slap a brand name on.
“I think there is light at the end of the tunnel, but I'm hesitant to say that everyone is going to patch," Valletta says. “We’ve been doing this for years, and we see a lot of patterns and kinds of bugs over and over again. Internet-of-things security still has a lot of catching up to do.”
Updated August 17, 2021 at 1pm ET to include comment from ThroughTek and additional context about mitigations from Mandiant.