Security News > 2021 > August > If you haven't updated your ThroughTek DVR since 2018 do so now, warns Mandiant as critical vuln surfaces
The vuln exists in Chinese IoT vendor ThroughTek's Kalay communication protocol, the researchers claim, adding that malicious users could exploit the vuln to remotely access victims' DVRs. Exploiting the vuln for real involves carrying out a man-in-the-middle attack: meaning the attacker needs to first obtain your home or office Wi-Fi password, or for the user to do something like open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network.
"Unlike the vulnerability published by researchers from Nozomi Networks in May 2021, this latest vulnerability allows attackers to communicate with devices remotely," warned Mandiant Threat Intelligence today.
An attacker who obtains that UID can maliciously register their own device in place of the original, meaning all connection requests intended for the original go to the attacker instead. When the user tries to access the DVR through the Kalay protocol, the DVR's username and password are transmitted to the registered UID. By MITM'ing these details, the attacker can forward on the connection request and examine the device's video and audio feed at their leisure.
With the access credentials for the DVR in the attacker's hands, that device could potentially be used for further attacks - but their severity depends whether the DVR vendor did something silly such as reusing admin credentials across all its devices.
ThroughTek is a software vendor, meaning these potential attacks become a study in case-by-case compromise rather than a blanket attack vector.
ThroughTek PSIRT member Yi-Ching Chen told The Register the company had "Assisted the customers who used the outdated SDK to update the firmware of the devices with a patch fix released in late 2018.".