A critical vulnerability in internet connected security cameras can allow an attacker to remotely watch live video and gain access to networks.

The vulnerability relates to the Kalay network offered by ThroughTek Co. Ltd. Kalay provides a system for connecting smart devices with mobile applications and is offered to original equipment manufacturers as a software development kit. It has 83 million active devices and 1.1 billion IoT connections world wide.

The vulnerability, named CVE-2021-28372, and has a Common Vulnerability Scoring System score of 9.6, meaning it’s considered critical.

An interface for creating and manipulating Kalay requests and responses and in doing so could identify local and flow vulnerabilities in the communication. In addition, they could identify and register devices in a way an attacker could exploit.

With the ability to obtain identity, an attacker could then obtain the Kalay client device’s unique identifier. Then, with that identifier, the attacker can register it with Kalay servers, giving them access to the device. That access in turn can be used to obtain the username and password for the device and give the attacker full access, including monitoring audio and video.

The researchers and ThroughTek recommend that companies using the Kalay protocol upgrade to at least version 3.2.10 and enable Kalay features, including DTLS and AuthKey.

A remote hacker can exploit the vulnerabilities in the ThroughTek Kalay IoT cloud platform to gain access to the live audio and video streams used by consumers, and potentially corporate-grade security and surveillance systems.This exploit should be a wake-up call for any industry that leverages IoT devices, especially security cameras.

Kalay Statement