Security News > 2021 > August > 83 million devices using the Kalay protocol are at risk for remote takeover. Are yours?
Kalay, a P2P IoT protocol developed by Taiwanese company ThroughTek, has a serious security problem: Remote attackers are able to exploit it in order to give them total, yet nearly invisible, control over devices using the protocol.
The vulnerability is low in complexity and affects more than 83 million devices, adding to its severity.
Once intercepted, attackers can register the device with the local Kalay server, which overwrites the existing device and directs future connection attempts to the false device.
ThroughTek markets Kalay as a white-label SDK, which unfortunately means that many of the IoT devices using Kalay and ThrougTek components don't have any ThroughTek or Kalay branding.
"Due to how the Kalay protocol is integrated by original equipment manufacturers and resellers before devices reach consumers, Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability," Mandiant said in its disclosure blog post.
Firmware using the AVAPI module without enabling DTLS.Firmware using P2PTunnel or RDT. ThroughTek said that those using Kalay 3.1.10 or above should enable AuthKey and DTLS, while those using older versions should upgrade to library 3.3.1.0 or 3.4.2.0, as well as enabling AuthKey and DTLS. SEE: How to manage passwords: Best practices and security tips.