Security News > 2021 > August > Critical bug allows remote compromise, control of millions of IoT devices (CVE-2021-28372)
vulnerability in the SDK that allows IoT devices to use ThroughTek's Kalay P2P cloud platform could be exploited to remotely compromise and control them, Mandiant researchers have discovered.
The Kalay platform allows IoT devices to register through it and get connected to a mobile or desktop application.
The platform supports "Image transmission, cloud video recording, data collection and analysis, remote control and management of hardware devices, push notifications, and more."
The connection and these functionalities are made possible through the use of a software development kit - an implementation of the Kalay protocol - that's integrated into mobile and desktop apps and networked IoT devices.
CVE-2021-28372, discovered and reported by researchers Jake Valletta, Erik Barzdukas, and Dillon Franke, affects how devices access and join the Kalay network, and could allow attackers to register a device on the network with the UID of a victim Kalay-enabled device, causing the registration servers to overwrite the existing device.
Users of IoT devices are unlikely to know whether they use a vulnerable version of the SDK. It's a good security practice to regularly update device software and applications, use complex and unique passwords for associated accounts, and to avoid connecting to affected devices from untrusted networks.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/TI5dpiCC_fo/
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-08-17 | CVE-2021-28372 | Authentication Bypass by Spoofing vulnerability in Throughtek Kalay P2P Software Development KIT 3.1.5 ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). | 8.3 |