Critical Vulnerability in SDK
Security firm Mandiant discovered the bug towards the end of last year. However, they made this information public on August 17, 2021. They did so along with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ThroughTek Kalay is the SDK under scrutiny. It provides a plug-and-play system to connect smart devices with their mobile applications. The Kalay platform also handles authentication and sends commands and data between the device and app. Jake Valetta, a Director at Mandiant, describes Kalay as the “glue and functionality” of the smart devices it is built into. He said that the vulnerability would allow a hacker to “connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device.”
Hackers Gain Control by Stealing Login Credentials
According to researchers, the flaw is in the registration mechanism between smart devices and their mobile applications. An attacker can exploit the vulnerability by learning a device’s “UID,” a unique Kalay identifier. With a device’s UID, and some knowledge of Kalay’s protocol, an attacker can re-register the UID and hijack the connection. As a consequence, the user will experience a short lag, after which everything proceeds normally at their end. However, at this point, the attacker can grab the special login credentials that manufacturers set for their devices. With the UID and login credentials, the attacker can remotely control the devices through Kalay without any other hacking. By exploiting this bug, they could view sensitive security footage, or peek inside a child’s crib. They could also launch denial of service attacks against devices by shutting them down, or even install malware onto devices. They can also potentially use full control of an embedded device, like an IP camera, to further exploit a target’s network. Since the attack works by stealing legitimate login credentials and using Kalay as intended, victims cannot remove an attacker by resetting or wiping clean their device.
Important Steps for Users and Manufacturers
Researchers stated that they haven’t witnessed real-world exploitation of the vulnerability so far. Additionally, they are not releasing details of their analysis or specifics of how to exploit the flaw. This is because their aim is to raise awareness about the problem, and not to give potential attackers a roadmap. CISA recommended that users take defensive measures to “minimize the risk of exploitation of this vulnerability.” ThroughTek has recommended that users should update the SDK to Kalay version 3.1.10 or higher. However, even updating to the latest version does not completely fix the problem. ThroughTek and Mandiant have said that manufacturers must enable optional Kalay features: encrypted communication protocol DTLS, and API authentication mechanism AuthKey to address the issue.