Critical bug allows remote compromise, control of millions of IoT devices (CVE-2021-28372)

A vulnerability (CVE-2021-28372) in the SDK that allows IoT devices to use ThroughTek’s Kalay P2P cloud platform could be exploited to remotely compromise and control them, Mandiant researchers have discovered. Further attacks are possible depending on the functionality exposed by a device.

“Due to how the Kalay protocol is integrated by original equipment manufacturers (OEMs) and resellers before devices reach consumers, Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability,” the researchers explained.

They know, though, that the list includes IoT cameras, smart baby monitors, and DVRs by various manufacturers, and ThroughTek boasts of more than 83 million active devices on the Kalay platform.

About CVE-2021-28372

The Kalay platform allows IoT devices to register through it and get connected to a mobile or desktop application. From there, users can, for example, view a smart camera’s footage. The platform supports “image transmission, cloud video recording, data collection and analysis, remote control and management of hardware devices, push notifications, and more.”

The connection and these functionalities are made possible through the use of a software development kit (SDK) – an implementation of the Kalay protocol – that’s integrated into mobile and desktop apps and networked IoT devices.

CVE-2021-28372, discovered and reported by researchers Jake Valletta, Erik Barzdukas, and Dillon Franke, affects how devices access and join the Kalay network, and could allow attackers to register a device on the network with the UID (unique identifier) of a victim Kalay-enabled device, causing the registration servers to overwrite the existing device.

To be able to do this, attackers must attain comprehensive knowledge of the Kalay protocol and the ability to generate and send messages (requests and responses) – like the researchers did. They would also have to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs.

“Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device,” they noted.

The researchers have released a video demo of a functional PoC exploit, though they will not release the actual exploit code.

A fix is available

CVE-2021-28372 was discovered in late 2020 and reported to ThroughTek. It affects ThroughTek’s Kalay SDK versions below version 3.1.10, and has since been fixed.

“Mandiant and ThroughTek strongly recommend that companies using the Kalay protocol upgrade to at least version 3.1.10 and enable the following Kalay features: DTLS, which protects data in transit, and AuthKey, which adds an additional layer of authentication during client connection,” Mandiant advised, and noted that IoT device manufactures should apply stringent controls around web APIs used to obtain Kalay UIDs, usernames, and passwords.

“Failure to protect web APIs which return valid Kalay UIDs could allow an attacker to compromise a large number of devices,” they pointed out.

Users of IoT devices are unlikely to know whether they use a vulnerable version of the SDK. It’s a good security practice, though, to regularly update device software and applications, use complex and unique passwords for associated accounts, and to avoid connecting to affected devices from untrusted networks (e.g., public Wi-Fi).

UPDATE (October 27, 2021, 00:50 a.m. PT):

SAM’s Cyber Research Team has identified a number of vulnerable devices – Wi-Fi cameras, network storage devices and doorbells – that are found in many homes.