New IoT Device Vulnerability Announced
Mandiant, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and Internet of Things provider ThroughTek have disclosed a critical vulnerability affecting millions of IoT devices that could let attackers spy on video and audio feeds from Web cameras, baby monitors, and other devices.
CVE-2021-28372 was discovered by Mandiant’s Jake Valletta, Erik Barzdukas, and Dillon Franke, and it exists in several versions of ThroughTek’s Kalay protocol.
The Kalay protocol is implemented as a software development kit (SDK) that is built into client software, such as a mobile or desktop application, and networked IoT devices such as smart cameras. ThroughTek claims to have more than 83 million active devices and at least 1.1 billion monthly connections on its platform, and its clients include IoT camera manufacturers, smart baby monitors, and digital video recorder (DVR) products.
This isn’t the first ThroughTek flaw disclosed this year. In May 2021, researchers with Nozomi Networks disclosed a security camera vulnerability affecting a software component from ThroughTek. Unlike this flaw, CVE-2021-28372 allows attackers to communicate with devices remotely and in doing so, control devices and potentially conduct remote code execution.