Millions of feeds from webcams and baby monitors are revealed

it is vulnerability hidden in a variety of smart devices (security cameras, DVRs, and even children’s monitors), an attacker can access live video and audio streams over the Internet and remotely control gadgets. Worst of all, it’s not limited to a single manufacturer; appears in the software development kit, which includes more than 83 million devices — and includes more than a billion connections a month.

The aforementioned ThroughTek SDK is Kalay, which provides a plug-and-play system for connecting smart devices to their respective mobile applications. The Kalay platform mediates the connection between a device and its application, manages authentication, and sends commands and data back and forth. For example, Kalay offers built-in functionality to coordinate between security camera and applications that can remotely control the angle of the camera. Researchers at the security company Mandiant found a serious flaw in late 2020, and are making it public today, along with the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency.

“You build Kalay on it and it’s the glue and functionality that these smart devices need,” says Mandiant director Jake Valletta. “An attacker can intentionally connect to a device, recover audio and video, and use a remote API, such as launching a firmware update, changing the pan angle of a camera, or restarting the device. The user doesn’t know anything is wrong.”

The error lies in the registration mechanism between the devices and their mobile applications. Researchers have found that this basic connection is in the “UID” of each device, Kalay’s unique identifier. An attacker who learns the UID of a device — Valetta says it can be achieved through a social engineering attack or by looking at a particular manufacturer’s web vulnerabilities — and has some knowledge of the Kalay protocol can re-register the UID and, most importantly, hijack the connection. the next time someone tries to legitimately access the target device. The user will delay for a few seconds, but then everything goes normally from his point of view.

The attacker, however, can take the special credentials that each manufacturer sets for their devices (usually a single random username and password). With this UID plus login the attacker can remotely control the device via Kalay without any further hacking or manipulation. Attackers can use full control of an embedded device such as an IP camera as a point of sale to gain deeper insight into a target’s network.

Using the bug, an attacker can watch video feeds in real time, view sensitive security images, or crib the baby. They can launch an attack to deny service to the camera or other gadgets when turned off. Or they may install malicious firmware on target devices. In addition, because the attack works by obtaining credentials and then using Kalay to remotely manage the embedded devices, victims would not be able to expel intruders by removing or resetting their equipment. Hackers can re-launch the attack.

As with many security breaches on the Internet of Things, identifying where the bug is is far from a fix. ThroughT is just one part of the massive ecosystem that needs to be involved in tackling vulnerability. Manufacturers include Kalay in their products, which can then be bought by another company to sell under a particular brand. This means that while ThroughTek has released a bug fix, it’s hard to know how many companies trust Kalay and need to distribute the update.

The researchers did not specify how to take advantage of the details or weakness of the Kalay protocol analysis. They say they have not seen evidence of real-world exploitation, and their goal is to raise awareness about the problem without giving way to real attackers. ThroughTek has not returned any WIRED comment requests. In June, the company release a vulnerability fix in Kalay version 3.1.10. Mandiant researchers recommend that manufacturers switch to this or a newer version and activate two Kalay offerings: an encrypted DTLS communication protocol and an AuthKey API authentication mechanism.