Critical Bug Impacting Millions of IoT Devices Lets Hackers Spy On You

An anonymous reader quotes a report from BleepingComputer: Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek's Kalay IoT cloud platform. The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app. A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device. Researchers at Mandiant's Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications. Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek's Kalay protocol and found that registering a device on the Kalay network required only the device's unique identifier (UID). Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device. An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts. This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data. The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise. By the latest data from ThroughTek, its Kalay platform has more than 83 million active devices and manages over 1 billion connections every month. The best way to protect yourself from this vulnerability is to keep your device software and applications updated to the latest version, as well as create complex, unique login passwords. The report also recommends you avoid connecting to IoT devices from an untrusted network.

No surprise

[rossz]

The lack of consideration for security in IoT devices is well known. It's one of the reasons I don't own a single IoT item.

Re:

[Reiyuki]

Same. I'm not even sure what would be gained by having an Internet-enabled dishwasher or toaster.

Re:

[shadowwynd]

... or turn the toaster on in the middle of the day (when you aren't at home) at full power in the hopes that you left a dishtowel on it. Or turn it off and on 30 times a second (who knows) - in hopes of causing a breaker to trip or a wiring fire. Or break the firmware leaving you with a dead toaster. Or use it as a gateway into your IoT house and begin attacking your SmartLock on the door. Heck, some people have even used IoT devices as very small stupid footsoldiers in a DDOS attack. be creative - the

Re:

[classiclantern]

I find it difficult to believe you do not have router and you have no WiFi. Your computer is wired directly to the modem. You have no devices connected to the WiFi that you don't have because WiFi can be tracked. You have no smart phone which is the most invasive of all the IOT devices. You don't have any modern audio devices to listen to music just your vacuum tube radio and your wind-up Victrola. No wireless lights or switches. No smart thermostats or video security cameras. Your VHS video tape pla

Re:No surprise

[KiloByte]

The S in "IoT" stands for security, P for privacy.

Re:

[VeryFluffyBunny]

The S in "IoT" stands for security, P for privacy.

=)))

abbrevs

[Errol backfiring]

Just as the "J" in AI stands for "just".

Re:

[sg_oneill]

There are ways around it in some cases. I kind of don't care if they get into my $7 chinese dimmer lightbulbs. Whatever, I'll just replace them if they do something stupid, they are set to automatically turn on and off, so a hacker wont work out my schedule from them. The cameras, I specifically blocked them from talking to the net and after a bit of nmapping worked out the RTP ports and hooked them to an internal synology box (wth security camera data archived off site via a non IOT cloud provider).

But for

Re:

[Bert64]

A lot of these cloud based iot devices are caused by prevalence of NAT..

Users want to reach their devices from outside, due to NAT they can't, instructions to forward a port would vary depending on the type of equipment in use and might not be possible at all (eg CGNAT setup), all of which would be beyond the capabilities of most users. So instead, they make it talk to a cloud server and insert themselves as a middleman.

From the perspective of the company providing the device its a win win:
Easier for the us

Re:

[tlhIngan]

If a user can't configure their NAT router to allow an iOT device through, what makes you think they can configure their firewall to allow access to an IPv6 device?

Or are you going to assume all IPv6 devices will be accessible over the internet? Because while IPv6 address space precludes scanning efficiently (that we know of), there's no reason why this might remain the case forever.

Relying on the vastness of IPv6 is just a form of security through obscurity. It only takes one vulnerability one can exploit

Re:

[Bert64]

If a user can't configure their NAT router to allow an iOT device through, what makes you think they can configure their firewall to allow access to an IPv6 device?

They can't, although it avoids the CGNAT case where the user isn't in control of it no matter what changes they make to their own user.
It's also less confusing, device has address X - allow access to address X, connect to address X. Rather than device has internal address X while router has external address Y, having to forward ports from Y to X and where the device itself doesn't know what the external address is either and you have to use a different address to connect wether your inside or outside, eugh.

Re: No surprise

[RobinH]

The concern isn't that the light bulb will start turning on or off randomly, it's that you now have a rogue device inside your local network making connections out to some Chinese server. It's a trojan horse. That device can now be used to gain remote access to your network by already being inside your NAT router and firewall. This is the same problem that any network device like a printer creates on a corporate network. We have to make sure these are in an IP range that can't get out to the Internet. But in the case of your light bulb, if you did that, you would lose the ability to control the light with a smartphone app. It would be trivial for that foreign organisation to use that foothold to them scan and attack other devices on the network.

Re:

[AmiMoJo]

Rather than getting IoT lightbulbs it's better to get an IoT lightswitch. Find one that works with Tasmota open source firmware. Then you have full control of the device, it doesn't need off-site servers to work. If any security issues are discovered with Tasmota you can be sure that there will be a firmware update available very quickly.

Then isolate it all on a dedicated WiFi network with no internet access.

No Internet of Toys, no problem

[couchslug]

I'll give it another ten years for better options to offer themselves or me to care enough to roll my own.

Re:

[Nrrqshrr]

Call me a luddite, but what even is the point of IoT devices? Most appliances now come with a timer or at least a built-in scheduler. Do people really value the ability to switch on the porch light from their phone that much?
The only valid case I can think of is a security camera that you can check on with your phone while you're out. But my home is equipped with good old Iron Bars On Window And Door technology and this has stood the test of time and guaranteed me a robbery rate of 0.

Re:

[AmiMoJo]

It gets interesting when you integrate with Home Assistant. Then you can program the system, so for example you could use occupancy sensors to control the lights or enforce turning the AC off when nobody has been in the room for 30 minutes.

It's also quite handy for monitoring. Say you have a garage door opening, you can see it's status at a glance. You can also program things like automatic close if nobody is in the garage, or a bedtime routine that checks for things like open doors and windows or lights yo

Re:

[Required Snark]

The point of IoT is to make money off of idiots. It's guaranteed to achieve the intended goal.

Correcting the final para

[mcswell]

"The best way to protect yourself from this vulnerability is not to own any IoT devices."

Re:

[AmiMoJo]

You don't have to be a luddite to be secure. Buy IoT devices that you can run open source firmware on, Tasmota being the most popular one. A lot of cheap devices can run it. Use Home Assistant as the controller using your own hardware (Raspberry Pi is ideal).

Then isolate the whole thing on a dedicated network with no internet access. If you do need outside access then setting up a VPN is the best option.

Re:

[PinkyGigglebrain]

great advice except for that ~90% of the people out there barely know how to change the batteries on their TV remote and/or don't give a fuck about it.

"Oh they wouldn't care about me, I'm not anyone important."
or
"We're too small of a business for anyone to want to hack us." (I've had several employers who said exactly this)
or
"Meh, it's too much trouble to worry about it and they will get my info anyway so why bother"
etc.

Sound familiar?

side note. thanks for the pointer to Tasmota, I'd never heard of

Re:

[mcswell]

I get your point, and maybe that would be secure. But "luddite"? Why? I have yet to see a single IoT device that would do anything useful for me. I looked just now at the IBM IoT blog page, and the ideas--except for self-driving cars, which are still in the future, are either ludicrous (your alarm clock finds out your train will be late, so you have to drive, so it wakes you up early for your commute) or scary (a part in your car is wearing out, so it makes an appointment for you at the dealer).

So unles

What devices?

[jtara]

Sure would be nice to know what devices or what manufacturers.

Just went through the links in this article and others, and haven't found a one yet that lists any specific devices or manufacturers.

Re:

[AmiMoJo]

They seem to consider the list of companies using their technology to be some kind of trade secret. Seems like a new law is needed to require disclosing of all vulnerable devices.

I wonder about IPv6 vs 4

[WindBourne]

It might be useful if ISPs would switch to IPv6 TODAY and then the home router control any ipv4 4-6NATing. It would certainly allow far better control of what is going on out there.

Re:

[Bert64]

Many ISPs already have IPv6, only very lousy ones haven't bothered rolling it out.

Re:

[Uldis Segliņš]

Yeah, tip your cashier if you want their salary to stay low as their income provider puts a decent part of it in own pocket. And they will never know what they will get this month, what a relief, aint' it.

This is not a bug

[Leading Edge Boomer]

but a feature. The entire business model for IoT is to gather information about you and sell it. This just seems like a more efficient path, cutting out the middleman. No IoT in my house in any foreseeable future. Do they think we are all rubes?

Got lucky

[93 Escort Wagon]

I was already sitting down when I read this.

No need for fines

[Uldis Segliņš]

The name of manufacturer must be revealed. Or else this is just a fudcampaign against all iot. Yes, at the moment none of them have shown any interest in security what so ever and the situation is ridiculous. Like a hospital not having soap and desinfectants and never seen a doctor or even a nurse. Is that acceptable? I have written to multiple iot 'security' device manufacturers asking some basic questions about, yeah, I kid you not, security of their products, only to receive something ala 'yes, we secure

Re:

[Shred00]

Except the SDK manufacturer won't list affected devices or even device manufacturers. It boggles my mind how this is an "acceptable" (i.e. in that nobody is taking them to task about it) response.

IoT

[Citizen of Earth]

IoT has always stood for the "Internet of Hacked Things". (The 'H' is silent.)

How many devices are not upgradable?

[Shred00]

>The best way to protect yourself from this vulnerability is to keep your device software and applications updated to the latest version

And I wonder how many such IoT devices are simply not upgradable and/or have already been abandoned by their manufacturer.

And on that note from an article: https://www.fireeye.com/blog/t... [fireeye.com]: "Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability".

How convenient for them and their customers. How inconvenient

R stands for Return it and get a full refund

[Canberra1]

Defective design costs. Most of these cheap ass products have NO software upgrade path. So return it, using relevant consumer redresses. The major emphasis is not listing and enumerating the products eligible for consumer refunds. Take it back.

Goddamnit

[AndyKron]

The best way to protect yourself is not have all this fucking bullshit YOU DON'T NEED. Goddamnit

An attacker with the UID of a target system

[mhesd]

Where does the attacker get the UID from? Guessing a 128 bit random number?

Many of you are addicts.

[AATheorist]

I get it, I love tech too... but this unhealthy obsession with IoT and "smart" phones is way out of hand. That phone is not your friend. Your obsession with it is unhealthy and you really need to put it down... for like a month at least... Just me typing these words is causing you fly into a fit of rage at the very thought of someone who feels that you should be required to limit it's use to 10 minutes per day maximum or not at all. So long karma... You'll be missed.