Security News > 2021 > August > Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices
A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit, which could be abused by a remote attacker to take control of an affected device and potentially lead to remote code execution.
Tracked as CVE-2021-28372 and discovered by FireEye Mandiant in late 2020, the weakness concerns an improper access control flaw in ThroughTek point-to-point products, successful exploitation of which could result in the "Ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality."
There are believed to be 83 million active devices on the Kalay platform.
This is made possible through the SDK - an implementation of the Kalay protocol - that's integrated into mobile and desktop apps and networked IoT devices.
CVE-2021-28372 resides in the registration process between the devices and their mobile applications, specifically how they access and join the Kalay network, enabling attackers to spoof a victim device's identifier to maliciously register a device on the network with the same UID, causing the registration servers to overwrite the existing device and route the connections to be mistakenly routed to the rogue device.
"The attacker can then continue the connection process and obtain the authentication materials needed to access the device. With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls."
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-17 | CVE-2021-28372 | ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). | 7.6 |