Millions of Web Camera and Baby Monitor Feeds Are Exposed

A vulnerability in the Kalay platform leaves countless IoT devices susceptible to hackers.

a vulnerability is lurking in numerous types of smart devicesâ€"including security cameras, DVRs, and even baby monitorsâ€"that could allow an attacker to access live video and audio streams over the internet and even take full control of the gadgets remotely. What's worse, it's not limited to a single manufacturer; it shows up in a software development kit that permeates more than 83 million devicesâ€"and over a billion connections to the internet each month. 

The SDK in question is ThroughTek Kalay, which provides a plug-and-play system for connecting smart devices with their corresponding mobile apps. The Kalay platform brokers the connection between a device and its app, handles authentication, and sends commands and data back and forth. For example, Kalay offers built-in functionality to coordinate between a security camera and an app that can remotely control the camera angle. Researchers from the security firm Mandiant discovered the critical bug at the end of 2020, and they are publicly disclosing it today in conjunction with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.

“You build Kalay in, and it's the glue and functionality that these smart devices need,” says Jake Valletta, a director at Mandiant. “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.”

The flaw is in the registration mechanism between devices and their mobile applications. The researchers found that this most basic connection hinges on each device's “UID,” a unique Kalay identifier. An attacker who learns a device's UIDâ€"which Valletta says could be obtained through a social engineering attack, or by searching for web vulnerabilities of a given manufacturerâ€"and who has some knowledge of the Kalay protocol can reregister the UID and essentially hijack the connection the next time someone attempts to legitimately access the target device. The user will experience a few seconds of lag, but then everything proceeds normally from their perspective.  

The attacker, though, can grab special credentialsâ€"typically a random, unique username and passwordâ€"that each manufacturer sets for its devices. With the UID plus this login the attacker can then control the device remotely through Kalay without any other hacking or manipulation. Attackers can also potentially use full control of an embedded device like an IP camera as a jumping-off point to burrow deeper into a target's network.

By exploiting the flaw, an attacker could watch video feeds in real time, potentially viewing sensitive security footage or peeking inside a baby's crib. They could launch a denial of service attack against cameras or other gadgets by shutting them down. Or they could install malicious firmware on target devices. Additionally, since the attack works by grabbing credentials and then using Kalay as intended to remotely manage embedded devices, victims wouldn't be able to oust intruders by wiping or resetting their equipment. Hackers could simply relaunch the attack. 

As with many internet-of-things security meltdowns, identifying where the bug exists is a far cry from getting it fixed. ThroughTek is only one part of a massive ecosystem that needs to participate in addressing the vulnerability. Manufacturers incorporate Kalay in their products, which may then be bought by another company to be sold with a particular brand name. This means that while ThroughTek has released a fix to patch the flaw, it's difficult to know exactly how many companies rely on Kalay and need to distribute the update.

The researchers are not releasing details about their analysis of the Kalay protocol or the specifics of how to exploit the vulnerability. They say they haven't seen evidence of real-world exploitation, and their goal is to raise awareness about the problem without handing real attackers a road map. ThroughTek did not return a request for comment from WIRED. In June, the company released a fix for the vulnerability in Kalay version 3.1.10. The Mandiant researchers recommend that manufacturers upgrade to this version or higher and turn on two Kalay offerings: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.

Researchers from Nazomi Networks also recently disclosed a different Kalay vulnerability that could also be exploited to access live audio and video feeds. And researchers have warned for years about the potential security implications of prefab IoT platforms like Kalay.

For regular users who may already have vulnerable devices in their homes or businesses, there's no complete list of impacted devices to work off of. You should simply install any available software updates on your embedded devices whenever possible. Mandiant's Valletta says he's hopeful that the disclosure process will help raise awareness and get more large vendors to update Kalay in their products. But he says, realistically, fixes may never come to devices made by smaller companies, those who don't invest heavily in security, or those who buy their devices from white label providers and then slap a brand name on it.

“I think there is light at the end of the tunnel, but I'm hesitant to say that everyone is going to patch," Valletta says. “We’ve been doing this for years, and we see a lot of patterns and kinds of bugs over and over again. Internet-of-things security still has a lot of catching up to do.”

More Great WIRED Stories
  • ðŸ"© The latest on tech, science, and more: Get our newsletters!
  • When the next animal plague hits, can this lab stop it?
  • What rat empathy may reveal about human compassion
  • Struggling to recruit, police turn to targeted ads
  • These games taught me to love the freemium grind
  • A guide to RCS, and why it makes texting so much better
  • ðŸ'ï¸ Explore AI like never before with our new database
  • 🎮 WIRED Games: Get the latest tips, reviews, and more
  • ðŸ"± Torn between the latest phones? Never fearâ€"check out our iPhone buying guide and favorite Android phones
  • 0 Response to "Millions of Web Camera and Baby Monitor Feeds Are Exposed"

    Post a Comment