Critical vulnerability in security cameras opens the door to attackers

0
502

A critical vulnerability in internet-connected security cameras can allow an attacker to remotely watch live video and gain access to networks. Discovered and detailed by researchers at FireEye Inc. Mandiant, the vulnerability relates to the Kalay network offered by ThroughTek Co. Ltd. Kalay provides a system for connecting smart devices with mobile applications and is offered to original equipment manufacturers as a software development kit.

ThroughTek claims that Kalay has more than 83 million active devices on its network, with more than 1.1 billion connections. Those devices can include “internet of things” cameras, smart baby monitors and Digital Video Record products.

The vulnerability, named CVE-2021-28372, was first discovered in late 2020 and has a Common Vulnerability Scoring System score of 9.6, meaning it’s considered critical.

The Mandiant researchers wrote an interface for creating and manipulating Kalay requests and responses and in doing so could identify local and flow vulnerabilities in the communication. In addition, they could identify and register devices in a way an attacker could exploit.

With the ability to obtain identity, an attacker could then obtain the Kalay client device’s unique identifier. Then, with that identifier, the attacker can register it with Kalay servers, giving them access to the device. That access in turn can be used to obtain the username and password for the device and give the attacker full access, including monitoring audio and video.

The researchers and ThroughTek recommend that companies using the Kalay protocol upgrade to at least version 3.2.10 and enable Kalay features, including DTLS and AuthKey. The vulnerability is severe enough that the Department of Homeland Security’s Cybersecurity and Infrastructure Agency also issued an ICS Advisory in conjunction with the disclosure from Mandiant.

“What’s deeply concerning here is that a remote hacker can exploit the vulnerabilities in the ThroughTek Kalay IoT cloud platform to gain access to the live audio and video streams used by consumers, and potentially corporate-grade security and surveillance systems,” Mark Bowling, vice president of security response services at cloud-native cybersecurity company ExtraHop Networks Inc said. “This exploit should be a wake-up call for any industry that leverages IoT devices, especially security cameras.”

Robert Prigge, chief executive officer of identity verification solutions provider Jumio Corp., noted that “while this vulnerability is harmful to anyone with a smart device linked to the Kalay platform, it’s particularly concerning that baby monitor feeds are involved.”