A security camera located on the Mount Vernon river walk in Washington. SC Media is not suggesting that this particular camera uses ThroughTek's Kalay protocol. (© Cody Logan / Wikimedia Commons / "Security camera, September 2018" / CC BY-SA 4.0)

Researchers, in conjunction with CISA, have disclosed a critical device impersonation vulnerability that could enable remote code execution in potentially millions of IoT devices, including security cameras operating in workplace environments, as well as other smart products found in employees' homes.

The affected products use "Kalay," a cloud-based platform from Taiwan-based ThroughTek that's used to integrate and facilitate point-to-point communication between disparate IoT devices and sensors. While such platforms and their protocols offer a heavy measure of convenience by allowing interaction between different manufacturers' products, they also potentially increase an environment's attack surface.

Case in point: members of FireEye's Mandiant Red Team in late 2020 uncovered CVE-2021-28372, a flaw that could potentially allow malicious actors to compromise device credentials and hijack them, as well as eavesdrop on live audio and real-time video data.

"Proprietary IoT protocols such as Kalay introduce new opportunities for things to go wrong from a security perspective," said Jake Valletta, director of proactive services, at Mandiant, in an email interview with SC Media. "Users of these protocols often have no visibility into how they are implemented and rely on OEMs having good development and review practices. When these good practices do not occur, serious vulnerabilities can remain hidden and affect a large number of clients or devices when discovered."

In a recent press announcement, ThroughTek stated that more than 83 million active devices use its Kalay platform, which is implemented as a Software Development Kit found in client software and networked devices such as cameras, DVRs and baby monitors. While it's not clear how many of these devices are impacted, users can at least take solace in the fact that a patch is available by downloading the SDK library to version 3.3.1.0 or 3.4.2.0.

Device owners are also advised to "enable the AuthKey and Datagram Transport Layer Security [DTLS]... features provided by the Kalay platform," and "review security controls in place on APIs or other services that return Kalay unique identifiers" (UIDs), according to a blog post that Mandiant published on Tuesday morning.

In order to take advantage of an unpatched device, adversaries would first need to study and understand Kalay protocols (much how Mandiant researchers while searching for vulnerabilities), and then obtain a victim device's UID either though social engineering or by abusing an API flaw. Valletta told SC Media that this is quite feasible.

"The research and reverse engineering of the Kalay protocol would be attainable for a skilled attacker," said Valletta. "After the initial research and reverse engineering of the Kalay protocol, attacks could be easily automated and performed by low-skill attackers. The specifics of the attack do not change between devices or UIDs."

As for obtaining UIDs, "attackers could come up with many pretexts" for socially engineering people into giving them up, he continued. Additionally, "they could also recover UIDs on public networks, identify insecure APIs that return UIDs, or find UIDs on social media or public support forums for affected devices."

The vulnerability boils down to an insecure method for devices to access the Kalay network. For starters, the device registration process requires only the aforementioned UID, which is "typically provided to a Kalay-enabled client (such as a mobile application) from a web API hosted by the company that markets and sells a device model," the Mandiant blog post explains. But this is insufficient protection and access should not be so easy, said Valletta.

"Additional features should be implemented. Attempted device registrations that would be impossible due to time and geographic reasons should be denied by ThroughTek," Velletta continued. Moreover, "Mandiant has not been able to remotely exploit this vulnerability when the ThroughTek AuthKey [authentication key] feature is properly implemented; thus, Mandiant strongly recommends that AuthKey be required for all clients and the Kalay protocol that does not implement AuthKey be deprecated."

Relying solely on the UID spells trouble if a malicious actor is able to obtain a particular device's UID. In such a case, the attacker can register his or her own device with the same UID on the network, effectively overwriting the original device. "Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device," the blog post explains.

Mandiant also warns that attackers could also abuse the Kalay network "to remotely connect to the original device, access AV data, and execute" remote procedure calls (RPCs), a form of interprocess communication.

"Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise," the Mandiant blog post states. "Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (ASLR), Platform Independent Execution (PIE), stack canaries, and NX bits." Such features should be enabled and hardened "on all binaries processing Kalay data, and RPC functions should be treated as untrusted and sanitized appropriately."

"In terms of RPC-related protections, device manufacturers should ensure that only necessary functionality is enabled on the device via the Kalay SDK," added Valletta.

The Mandiant report came out just two months after Nozomi Networks and CISA jointly disclosed a different vulnerability in ThroughTek security cameras. This flaw was also patched in versions 3.3.1.0 and 3.4.2.0, and can also be mitigated by enabling AuthKey and DTLS features.

"ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds," said the CISA ISC advisory.