IoT security vulnerability in the Kalay cloud platform! Over 83 million devices affected?
by Svenja Koch
Whether in business or private: IoT cyber threats can cause immense damage
IP cameras, digital video recorders or digital baby monitors definitely make our everyday lives more comfortable. IoT devices of all kinds are now in use by the millions in households worldwide - and are now under attack! This is because a recently discovered IoT security vulnerability allows cyber attacks on the networked devices, where attackers can take control of the networked smart devices via the internet. The vulnerability, named CVE-2021-28372, is classified with a threat level of "critical" and is not "easily" fixable with patches. We explain what impact the IoT vulnerability can have, what exactly constitutes the Kalay vulnerability and how you can best counter IoT cyber threats.
IoT security vulnerability in the Kalay cloud platform
IoT vulnerability CVE-2021-28372 was disclosed by Mandiant security researchers in a core software component from Taiwan-based Throughtek. The component is part of the Kalay cloud platform, which is used by manufacturers worldwide in the production of smart cameras, baby monitors or digital video recorders. The vulnerability in Kalay is in Throughtek's P2P SDK - a quite practical feature that allows a client to access a camera's audio and video streams over the internet. The big problem with the Kalay vulnerability is that although there is a secure SDK version, the SDK is used by numerous manufacturers for countless smart devices, making patching extremely difficult.
How many devices are affected by the IoT vulnerability?
In their report, the security researchers from Mandiant write that the Throughtek SDK is used on 83 million IoT devices - and well over a billion connections are made to the Kalay network every month. However, it is currently still completely unclear how many of the IoT devices are affected and thus exposed to cyber attacks.
How do cyber attacks work via the Kalay vulnerability?
The good news first: It is not easy for cyber criminals to attack Kalay via the vulnerability. For one thing, the cyber attackers need in-depth knowledge of the Kalay protocol - and for another, they need the company identification number (UID) of the IoT devices. The "common" way to get the UIDs via brute force cyberattacks is apparently not possible. Therefore, the cybercriminals need other ways to get the UIDs - social engineering is one of the most promising ways, according to Mandiant's security experts.
However, once the cyber attacker gets hold of the UID, he can virtually take over the IoT device registered on the Kalay network. As a result, all data sent by the compromised device is transmitted to the attacker. This data can not only represent insights into the privacy of the affected person, but also recordings of log-in processes. Once the cyber attacker has this log-in data, the complete takeover of further IoT devices is only a matter of time - and the motivation of the attacker.
What happens if my IoT devices are taken over by cyber attacks?
Cyberattacks on smart devices can lead to a wide variety of problems. Cybercriminals can connect to an IoT device at whim, retrieve audio and video streams, remotely control cameras or reboot the device. The end users of the IoT devices are unaware of the attacks - until recorded video data is used for blackmail attempts, the account is drained or the smart entrance door is opened for a burglar at the push of a button. It doesn't have to be a worst-case scenario - it's enough to have the uneasy feeling that you are being spied on by strangers in your own home.
Can I use a virus scanner against Kalay's vulnerability?
Virus scanners are usually useful, basic IT security tools, but they are completely powerless against this IoT vulnerability. The only thing that can help here is patches - and the commitment of the manufacturers who use Kalay for their IoT devices.
The manufacturers are under pressure
Throughtek reacted immediately after the vulnerability became known and provided two versions for IoT devices with SDKs 3.3.1.0 and 3.4.2.0, which patch the vulnerability in Kalay. In addition, the IoT vulnerability can be closed by two optional functions of Kalay, the encrypted communication protocol DTLS and the API authentication mechanism Authkey. Manufacturers are therefore challenged here to close the security gap in the long term, even for IoT devices that have already been shipped.
What can I do to protect my IoT devices from the vulnerability in Kalay?
Unfortunately, there is still no list of all affected devices. Therefore, it is difficult to impossible for end users to predict a possible cyberattack through an existing vulnerability in the device. Whenever possible, current software updates should be installed.
Whether business or private: IoT cyber threats can cause immense damage
Cyberattacks are as old as the internet. IoT cyberthreats, on the other hand, are a fairly recent phenomenon - and IoT devices are used with corresponding carelessness. The smart, networked baby monitor is just one of the countless IoT devices that are now in use worldwide. Alexa and Siri, surveillance cameras at the house entrance, digital heating controls and video telephony: IoT devices have now conquered our everyday lives. The fact that each and every one of the devices used can represent its own IoT security vulnerability is easily overlooked in practical everyday life.
Yet the potential damage that can be caused by cyber attacks on networked devices is quite dangerous:
- Company internals can be eavesdropped on if video systems in meeting rooms are hijacked
- Account data can be tapped
- Video surveillance systems can allow private and business-related details to fall into the wrong hands.
- Compromised baby monitors become bugs that can effortlessly listen in on any conversation.
The loss of privacy in particular can be a psychological shock for those affected. One's own life under observation by complete strangers - Big Brother says hello. Not to mention the existence-threatening situation when sensitive information, be it professional or private, is misused for blackmail attempts.
Can I protect my IoT devices from cyber attacks at all?
Regardless of whether the smart devices you use are affected by the vulnerability in Kalay or another security risk: Everyone can be their own IT security through conscious action! Probably the most basic protection - and at the same time the measure that is most often forgotten - is to regularly update all smart devices. Many IoT cyberthreats can be prevented by manufacturer security patches and updates. Manufacturers are also aware of this, and usually offer the function of automatic updates.
Another point is the accessibility of the devices via the internet. Here, whenever possible, access to the internet should be prevented. This does not completely minimise the risk, but it does significantly reduce the time cyber attackers have to take over the device. However, many devices lose their usefulness if they are not continuously connected to the internet. In this case, strong passwords should be used - or encrypted VPN connections should be used that only allow access to predefined users. Firewalls also provide basic protection. And last but not least, there is the human security factor.
With the current IoT cyber threats from the vulnerability in Kalay, social engineering plays a major role. Therefore, personal IT security should always include the principle of never handing over personal data to strangers. Even if it is only the UID of the baby monitor, which the friendly "service employee" on the phone is desperate to find out.
References:
https://www.forescout.com/resources/amnesia33-how-tcp-ip-stacks-breed-critical-vulnerabilities-in-iot-ot-and-it-devices/
https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html
Conclusion
If we had warned about cyber attacks on video cameras or baby monitors 30 or even 20 years ago, the warning would probably have been dismissed as nice science fiction without substance. By 2021, however, smart, networked and internet-connected devices are a normal part of everyday life in many private households and businesses around the world. Unfortunately, cybercriminals are not asleep either - and use IoT vulnerabilities for cyberattacks of all kinds. The vulnerability now discovered in Kalay turns around 83 million smart devices into potential surveillance machines. While you put your child to bed and then tell your partner about the new, sinfully expensive watch that has finally arrived at your house, cybercriminals are listening. And are happy about all the detailed information that leaks out of your private life. At best, this only means a loss of privacy and violated personal rights. However, very few cybercriminals are stalkers and interested in anecdotes from your life. Rather, they are interested in account data, company secrets - or even the expensive watch that may be subject to a spontaneous transfer of ownership by uninvited visitors one of the coming nights.
The best IT security in dealing with IoT cyber threats is the conscious, careful handling of digital, networked devices. Whenever possible, networked devices should be disconnected from the internet. And if this is not possible, at least a firewall and strong passwords should be set up for basic protection. And, of course, the manufacturers of the products have a duty to ensure a minimum level of cyber security in the Internet of Things through regular updates and patches for known IoT security vulnerabilities.