Security News > 2021 > August > Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop

Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things devices - one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors.

1 base score of 9.6, was found in devices connected via ThroughTek's Kalay IoT cloud platform.

In a Tuesday post, researchers Jake Valletta, Erik Barzdukas and Dillon Franke - who discovered the bug - explained that it's impossible to compile a comprehensive list of companies and products affected, given how the Kalay protocol is integrated by manufacturers and resellers before devices reach consumers.

Though they couldn't come up with a definitive list of affected companies and products that implement the Kalay platform, they strongly advised users of IoT devices "To keep device software and applications up to date and use complex, unique passwords for any accounts associated with these devices."

IoT device manufactures should apply stringent controls around web APIs used to obtain Kalay UIDs, usernames, and passwords to minimize an attacker's ability to harvest sensitive materials needed to access devices remotely.

Mandiant thanked ThroughTek and CISA for their cooperation and support with releasing the advisory and for their "Commitment to securing IoT devices globally."

News URL

https://threatpost.com/bug-iot-millions-devices-attackers-eavesdrop/168729/