The researchers are not publishing details of their analysis of the Kalay protocol or how to exploit the vulnerability. They say they haven’t seen any evidence of real-world exploitation, and their goal is to raise awareness about the problem without giving a roadmap to the real attackers.
To defend against exploitation, devices must be running Kalay version 3.1.10, originally released by ThroughTek in late 2018, or later. But even the current version of the Kalay SDK (3.1.5) does not automatically fix the vulnerability. Instead, ThroughTek and Mandiant say that to plug the hole, manufacturers need to enable two optional Kalay features: the DTLS encrypted communication protocol and the AuthKey API authentication mechanism.
“We have been made aware by Mandiant of a vulnerability … which could allow a malicious third party to gain unauthorized access to sensitive information, and we have notified our customers and assisted customers who have used the obsolete SDK to update the device firmware, ”said Yi-Ching Chen, member of the product security incident response team at ThroughTek.
Chen adds, however, that it has been difficult to get clients to update en masse, an observation that follows Mandiant’s findings. Three years after the release of a version of the SDK that contained options to stop these types of attacks, Mandiant researchers came across a massive population of still vulnerable devices.
“Over the past three years, we’ve asked our customers to upgrade their SDKs,” says Chen of ThroughTek. “Some older devices lack OTA [over the air update] feature that makes upgrading impossible. Additionally, we have customers who do not wish to enable DTLS as it will slow down the speed of connection establishment, and therefore are reluctant to upgrade.
Mandiant’s Valletta said the late 2018 release of ThroughTek’s SDK did not contain adequate information for customers on the importance of proactively updating and enabling both protection features. The company recently issued an alert in response to Mandiant’s more forceful research.
“It’s not a silver bullet for many ThroughTek customers, so when it’s billed as an optional update, we expect a lot of them didn’t prioritize it because they didn’t. realized that it was related to the mitigation of a critical vulnerability, ”Valletta said.
Nazomi Networks researchers also recently revealed a different Kalay vulnerability which could also be exploited to access live audio and video streams. And the researchers have warned for years on the potential security implications of pre-fabricated IoT platforms like Kalay.
For regular users who may already have vulnerable devices in their home or business, there isn’t a complete list of affected devices to work from. You just need to install all available software updates on your built-in devices whenever possible. Mandiant’s Valletta says he hopes today’s public disclosure will help raise awareness and get more top vendors to update Kalay in their products. But he says, realistically, that the fixes may never be made to devices made by small businesses, those who don’t invest much in security, or those who buy their devices from white-label vendors and apply. then a brand name.
“I think there’s light at the end of the tunnel, but I’m hesitant to say everyone’s going to patch,” Valletta says. “We’ve been doing this for years, and we’re seeing a lot of patterns and types of bugs over and over again. Internet of Things security still has a long way to go.
Updated August 17, 2021 at 1 p.m. ET to include comments from ThroughTek and additional background on Mandiant’s mitigation measures.
More great WIRED stories