Security researchers are warning about a critical flaw that affects millions of devices globally that are connected to the Kalay IoT platform.
The issue affects various video and surveillance products that use the Kalay network. These are video and surveillance solutions and home automation IoT systems from various manufacturers. Because the Kalay platform is used by numerous manufacturers for their devices, researchers could not create a list of affected brands.
But the issue affects the Kalay protocol that is implemented as a software development kit (SDK) in mobile and desktop apps for IoT devices.
The vulnerability was discovered at the end of 2020 by researchers from Mandiant’s Red Team. A remote attacker could exploit this flaw (score of 9.6 out of 10) to gain access to the live video and audio streams of a vulnerable device. What’s more, an attacker could take full control of it.
A flaw in the Kalay protocol could allow an attacker to execute arbitrary code remotely.
Mandiant’s Jake Valletta, Erik Barzdukas, and Dillon Franke looked at the Kalay protocol and discovered that device registrations required only the device’s unique identifier (UID). An attacker who has a UID could register their device on the network, client connection attempts, obtain the login credentials, and ultimately gain remote access to the victim device audio-video data.
Researchers said that such remote access can lead to full device compromise.
“Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (“ASLR”), Platform Independent Execution (“PIE”), stack canaries, and NX bits,” said Mandiant.
Researchers at Mandiant have developed a way to discover and register devices on Kalay network, authenticate clients, and process audio and video data. They were able to develop a PoC exploit that let them impersonate a device on the Kalay platform.
Kalay network has more than 83 million devices and manages over a billion connections each month.
The researchers noted that an attacker would need to be familiar with the Kalay protocol in order to successfully exploit it. And they will have to secure the UIDs, a task that most attackers can perform by using social engineering or exploiting other weaknesses.