A security vulnerability affecting a software platform that connects millions of internet of things (IoT) devices, including baby monitors and security cameras, was publicly disclosed today. Although a firmware update addressed this vulnerability in 2018, it isn’t clear if all the companies selling the affected products have implemented it. So far there’s no evidence anyone has actually used the exploit in an attack.
Security firm Mandiant’s researchers found the exploit, which affects the security in Thoughtek’s Kalay platform, late last year. The firm decided to publicly disclose it today in conjunction with the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
The Kalay platform is an SDK that lets companies making Internet of Things (IoT) devices connect to mobile apps while keeping the connections secure. It’s what allows someone to control their home security camera or baby monitor with a smartphone app.
“You build Kalay in, and it’s the glue and functionality that these smart devices need,” said Mandiant director Jake Valletta. “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.”
Suppose an attacker learns a specific device’s ID in the Kalay platform through social engineering or looking up the device’s manufacturer. In that case, they can acquire the username and password the manufacturer set for the device and then hijack it and even use it to connect to other devices in a user’s network. They could gain complete control over a camera, shut it down, or install malware on it and other connected devices. Upon the initial attack, the user would only briefly experience some slight connection lag. If the user completely resets their equipment, the attacker can just relaunch the exploit with the manufacturer’s security credentials.
Thoughtek notes the 3.1.10 version of its SDK, which came out in 2018, patched the vulnerability. However, it isn’t up to end-users to apply these updates directly, but rather the IoT manufacturers and companies that buy devices from those manufacturers.
As the Internet of Things continues to grow, we can expect researchers to uncover more vulnerabilities like these. Two months ago, security analysts found another exploit in Kalay’s SDK affecting versions 3.1.5 and earlier. In April, researchers discovered nine vulnerabilities in the TCP/IP stacks of hundreds of millions of IoT devices.