Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.
At the time of writing this blog post, ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on their platform. ThroughTek’s clients include IoT camera manufacturers, smart baby monitors, and Digital Video Recorder (“DVR”) products. Unlike the vulnerability published by researchers from Nozomi Networks in May 2021 (also in coordination with CISA), this latest vulnerability allows attackers to communicate with devices remotely. As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution.
The Kalay protocol is implemented as a Software Development Kit (“SDK”) which is built into client software (e.g. a mobile or desktop application) and networked IoT devices, such as smart cameras. Due to how the Kalay protocol is integrated by original equipment manufacturers (“OEMs”) and resellers before devices reach consumers, Mandiant is unable to determine a complete list of products and companies affected by the discovered vulnerability.
This vulnerability has been assigned a CVSS3.1 base score of 9.6 and is tracked as CVE-2021-28372 and FEYE-2021-0020. This blog post discusses the Kalay network and CVE-2021-28372 at a high level. It also includes recommendations from ThroughTek and Mandiant, along with mitigation options.
Mandiant would like to thank both CISA and ThroughTek for their coordination and support in releasing this advisory.
What devices are affected, and (potentially) how many devices are affected?
The vulnerabilities described in this post affect a core component of the Kalay platform. Mandiant was not able to create a comprehensive list of affected devices; however, ThroughTek’s website reports more than 83 million active devices on the Kalay platform at the time of writing this post.
How is the issue being addressed?
Mandiant worked with ThroughTek and CISA to disclose this vulnerability and would strongly recommend companies using the Kalay platform follow the guidance provided by ThroughTek and Mandiant:
- If the implemented SDK is below version 3.1.10, upgrade the library to version 220.127.116.11 or version 18.104.22.168 and enable the Authkey and Datagram Transport Layer Security (“DTLS”) features provided by the Kalay platform.
- If the implemented SDK is version 3.1.10 and above, enable Authkey and DTLS.
- Review security controls in place on APIs or other services that return Kalay unique identifiers (“UIDs”).
How would an attacker exploit these vulnerabilities?
An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.
How do I know if a device I own is affected? How do I protect myself if I own an affected device?
Mandiant was not able to create a comprehensive list of devices using the Kalay platform, but strongly encourages users of IoT devices to keep device software and applications up to date and use complex, unique passwords for any accounts associated with these devices.
Device owners should avoid connecting to affected devices from untrusted networks such as public wireless networks.
Who discovered this vulnerability?
Jake Valletta, Erik Barzdukas, and Dillon Franke.
CVE-2021-28372: Device Impersonation
Mandiant researchers analyzed ThroughTek’s Kalay protocol using two different approaches. First, the researchers selectively downloaded and disassembled applications from both the Google Play Store and Apple App Store that included ThroughTek libraries. These libraries typically did not contain debugging symbols, which required the team to also perform dynamic analysis with tools such as Frida, gdb, and Wireshark.
In addition, Mandiant purchased various Kalay-enabled devices. The team performed local and hardware-based attacks to obtain shell access, recover firmware images, and perform additional dynamic testing. These techniques included identifying UART/JTAG interfaces, performing chip-off attacks, and exploiting other debugging functionality present on the devices.
Over the course of several months, the researchers developed a fully functional implementation of ThroughTek’s Kalay protocol, which enabled the team to perform key actions on the network, including device discovery, device registration, remote client connections, authentication, and most importantly, process audio and video (“AV”) data. Equally as important as processing AV data, the Kalay protocol also implements remote procedure call (“RPC”) functionality. This varies from device to device but typically is used for device telemetry, firmware updates, and device control.
Having written a flexible interface for creating and manipulating Kalay requests and responses, Mandiant researchers focused on identifying logic and flow vulnerabilities in the Kalay protocol. The vulnerability discussed in this post affects how Kalay-enabled devices access and join the Kalay network. The researchers determined that the device registration process requires only the device’s 20-byte uniquely assigned identifier (called a “UID” here) to access the network. In Mandiant’s testing, this UID was typically provided to a Kalay-enabled client (such as a mobile application) from a web API hosted by the company that markets and sells a device model. Mandiant investigated the viability of brute forcing ThroughTek UIDs and found it to be infeasible due to the necessary time and resources.
Figure 1 shows a typical device registration and client connection process on the Kalay network. The example scenario is a user remotely accessing their camera feed on a mobile application from a remote network, (e.g. a coffee shop or mobile phone network) with their Kalay-enabled camera located on their home network.
Figure 1: Normal device registration and connection process
If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device. Figure 2 shows a client connection attempt when both a victim device and a malicious device with the same UID exist simultaneously on the network. In this example, the malicious registration is overwriting the existing registration on the network, causing client connections to be mistakenly routed to the malicious device.
Figure 2: Attacker exploiting device personation vulnerability to capture credentials
With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls. Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise. Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (“ASLR”), Platform Independent Execution (“PIE”), stack canaries, and NX bits.
Figure 3 shows a hypothetical attack utilizing the captured Kalay username and password to stage a further attack by abusing vulnerabilities in the Kalay RPC interface.
Figure 3: Attacker using captured credentials to fetch audio/video data
The following video (Figure 4) demonstrates a functional proof of concept for CVE-2021-28372. Note that Mandiant is not releasing any public exploit code.