August 18, 2021

Researchers discovered a vulnerability known as CVE-2021-28372 that can affect millions of devices worldwide connected via ThroughTek’s Kalay IoT cloud platform.

The security issue affects products from various manufacturers that offer video and surveillance solutions as well as IoT systems for home automation that use the Kalay network to easily connect and communicate with an app.

According to researchers from Mandiant’s Red Team, the vulnerability affects the Kalay protocol, which is integrated into mobile and desktop applications as a Software Development Kit SDK.

When examining the Kalay protocol from ThroughTek, the researchers found that the registration of a device in the Kalay network only requires its unique identifier (UID).

Kalay clients receive the UID from a Web API hosted by the provider of the IoT device. So, an attacker could easily register a device they control and receive all client connection attempts on the Kalay network once they have the UID of a target system thereby granting them access to login credentials that allow remote access to the victim’s audio-video data.

Researchers from Mandiant’s Red Team discovered the vulnerability in late 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate disclosure and create mitigation options.

Owners of affected devices are advised to mitigate the risk by updating their device software and applications.

For more information, read the original story in BleepingComputer.