Bug Affecting IoT Devices Allows Hackers To Spy On Users

Share post:

Researchers discovered a vulnerability known as CVE-2021-28372 that can affect millions of devices worldwide connected via ThroughTek’s Kalay IoT cloud platform.

The security issue affects products from various manufacturers that offer video and surveillance solutions as well as IoT systems for home automation that use the Kalay network to easily connect and communicate with an app.

According to researchers from Mandiant’s Red Team, the vulnerability affects the Kalay protocol, which is integrated into mobile and desktop applications as a Software Development Kit SDK.

When examining the Kalay protocol from ThroughTek, the researchers found that the registration of a device in the Kalay network only requires its unique identifier (UID).

Kalay clients receive the UID from a Web API hosted by the provider of the IoT device. So, an attacker could easily register a device they control and receive all client connection attempts on the Kalay network once they have the UID of a target system thereby granting them access to login credentials that allow remote access to the victim’s audio-video data.

Researchers from Mandiant’s Red Team discovered the vulnerability in late 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate disclosure and create mitigation options.

Owners of affected devices are advised to mitigate the risk by updating their device software and applications.

For more information, read the original story in BleepingComputer.

SUBSCRIBE NOW

Related articles

FBI’s Operation Level Up Ends Cyber Scams and Saves Millions of Dollars and Lives

We should send a love note out to The Federal Bureau of Investigation (FBI) who launched Operation Level...

DOGE’s Teen Hacker Stirs Concern Over Musk Team’s Access to Federal Databases

A 19-year-old named Edward “Big Balls” Coristine has raised red flags after Wired revealed he holds a key...

Deep Seek and Open Source AI – Without the Hype: Discussion with Robert Falzon, Head of Engineering, Check Point

DeepSeek AI is shaking up the cybersecurity world—are we prepared for the risks? Join host Jim Love and...

Researchers Jailbreak DeepSeek AI, Expose System Prompt and Raise Security Concerns

Security researchers at Wallarm have successfully jailbroken DeepSeek, a recently released open-source AI model from China. The jailbreak...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways