A remote attacker could exploit a critical vulnerability to listen in to live audio & video or take control. The bug is in Through Tek’s Kalay network, used in 83m devices.
Security researchers have discovered a critical flaw that affects 10s of millions of internet-of-things (IoT) devices – 1 that exposes live video & audio streams to eavesdropping threat players & which could enable attackers to take over control of devices, including security webcams & connected baby monitors.
Vulnerability
The flaw, tracked as CVE-2021-28372 & FEYE-2021-0020 & assigned a critical CVSS3.1 base score of 9.6, was found in devices connected via Through Tek’s Kalay IoT cloud platform.
The alarm was sounded on Tues. by Mandiant, in co-ordination with the US Cybersecurity & Infrastructure Security Agency (CISA) & Through Tek. Mandiant’s Red Team discovered the vulnerability in late 2020.
Unprotected Devices
“CVE-2021-28372 poses a huge risk to an end user’s security & privacy & should be mitigated appropriately,” according to Mandiant’s post. “Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID & further attacks are possible depending on the functionality exposed by a device.”
The world has already been deluged with stories of what can happen when these kind of devices are misconfigured or riddled with vulnerabilities, & this just adds to the growing list of worrying headlines. E.g., in Feb., a vulnerability affecting multiple baby monitors was found to expose 100s of 1,000s of live devices, potentially allowing someone to view a camera’s video stream.
Remotely Compromise
As Mandiant explained, this flaw would enable adversaries “to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, & compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.”
In a Tues. post, researchers Jake Valletta, Erik Barzdukas & Dillon Franke – who discovered the bug – explained that it’s impossible to compile a comprehensive list of companies & products affected, given how the Kalay protocol is integrated by manufacturers & resellers before devices reach consumers.
Definitive List
Though they couldn’t come up with a definitive list of affected companies & products that implement the Kalay platform, they strongly advised users of IoT devices “to keep device software & applications up to date & use complex, unique passwords for any accounts associated with these devices.”
Mandiant also recommends that device owners avoid connecting to affected devices from untrusted networks, such as public Wi-Fi: a recommendation that’s already part of wireless best practices, as the US National Security Agency (NSA) recently advised in a public service announcement (PDF).
Newly Unappealing Handshake
According to Through Tek, “Kalay” is an indigenous Dawu word that means “handshake,” “symbolising the universal link in an interconnected world.”
Through Tek implements that handshake – the Kalay protocol – as a software development kit (SDK). The Kalay SDK provides a plug-&-play network to easily connect smart devices with corresponding mobile apps.
How Many Devices Are Affected?
To get a high-level view of the scope of potentially affected products & companies, researchers pointed to Through Tek’s advertising, which boasts of supporting upwards of 83m active devices & more than 1.1b monthly connections on the platform.
Through Tek also supports 250 systems-on-a-chip (SOCs): the microchips that contain all the necessary electronic circuits & parts for small consumer electronic devices, such as smartphones or wearable computers.
IoT Camera Manufacturers
Mandiant commented that affected Kalay products include IoT camera manufacturers, smart baby monitors, & Digital Video Recorder (DVR) products.
Researchers noted that this Through Tek bug is worse than the critical Nozomi Networks vulnerability disclosed in May: a bug that was already quite severe in that it laid open millions of connected cameras, leaving them prey to having remote attackers get at camera feeds.
Eavesdropping
Besides eavesdropping, this latest Kalay vulnerability means that devices could be remotely controlled by people who have no business tinkering with other people’s baby monitors, webcams or other IoT gadgets, Mandiant observed.
“This latest vulnerability allows attackers to communicate with devices remotely,” researchers explained. “As a result, further attacks could include actions that would allow an adversary to remotely control affected devices & could potentially lead to remote code execution.”
How the Bug Works
Mandiant outlined that the problem lies in the device registration process, which requires only a device’s 20-byte, uniquely assigned identifier – which they refer to as a UID – to access the network. Mandiant’s testing showed that, typically, the UID is provided by a Kalay-enabled client, such as a mobile app, from a web API hosted by the company that markets & sells a given device.
In order to exploit the vulnerability, an attacker would need both deep knowledge of the Kalay protocol & the ability to generate & send messages. They’d also have to get their hands on those Kalay UIDs, which they could wriggle away via “social engineering or other vulnerabilities in APIs or services that return Kalay UIDs,” the researchers explained.
Brute-Forcing
As an alternative, Mandiant also investigated ‘brute-forcing’ Through Tek UIDs, but researchers explained that it took up far too much time & resources.
After they get their hands on the UIDs, an attacker could take over the associated, affected devices. With some knowledge of the Kalay protocol, they’d be able to re-register the UID, overwriting the existing Kalay device on the Kalay servers. Then, whenever the legitimate owner tries to access the device, the UID will be directed to the attacker, in effect leading to hijacking of the connection.
As Mandiant Director, Jake Valletta, told Wired, the legitimate device owner would experience a few seconds of lag, but that’s the only difference that would be apparent from their perspective.
Connection Process
Then, the attacker can continue with the connection process in order to steal the device owner’s username & password. What happens when both a victimised device & a malicious device with the same UID exist on the network?: Answer – the malicious registration overwrites the existing registration & force the legitimate device’s connections to be re-routed to the attacker’s device.
After that, a threat player can remotely connect to the victimised device, access audio/visual data & execute remote procedure calls (RPC), Mandiant stated. Due to vulnerabilities in the device-implemented RPC interface, this can then lead to “fully remote & complete device compromise,” researchers described.
Common Binary Protections
The description of what makes this possible is: “Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root & lacked common binary protections such as Address Space Layout Randomisation (“ASLR”), Platform Independent Execution (“PIE”), stack canaries, & NX bits.”
The figure below shows a hypothetical attack using the captured Kalay credentials to stage yet another attack by abusing the vulnerabilities in the Kalay RPC interface:
Mandiant isn’t releasing public exploit code, but it did provide the video below, which demonstrates a proof of concept for CVE-2021-28372.
Address the Bug
Mandiant “strongly recommends” that companies using the Kalay platform follow the following guidance from Through Tek & Mandiant:
- If the implemented SDK is below version 3.1.10, upgrade the library to version 3.3.1.0 or version 3.4.2.0 & enable the Authkey & Datagram Transport Layer Security (DTLS) features provided by the Kalay platform.
- If the implemented SDK is version 3.1.10 & above, enable Authkey & DTLS.
- Review security controls in place on APIs or other services that return Kalay unique identifiers (UIDs).
- Hardening features such as ASLR, PIE, NX, & stack canaries should be enabled on all binaries processing Kalay data & RPC functions should be treated as untrusted & sanitised appropriately.
- IoT device manufactures should apply stringent controls around web APIs used to obtain Kalay UIDs, usernames, & passwords to minimise an attacker’s ability to harvest sensitive materials needed to access devices remotely. Failure to protect web APIs which return valid Kalay UIDs could allow an attacker to compromise a large number of devices.
Mandiant thanked Through Tek & CISA for their co-operation & support with releasing the advisory & for their “commitment to securing IoT devices globally.”
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/
