Bugs in Many Faulty IoT Devices Allows Attackers to Eavesdrop

An attacker remotely could exploit the vulnerability to listen on live video and audio or take complete control. In the Kalay network of ThroughTek, there is a bug present. Security researchers found out that a flaw that is affecting millions of IoT devices and exposes live audio or video streams to eavesdrop on threat actors. This could potentially allow attackers to control the devices, including baby monitors and security webcams. The flaw is tracked as FeYE-2021-0020 and CVE-2021-28372. This is assigned as a score of 3.1 on the CVSS scale, and the flaw was discovered in devices that are connected through the Kalay cloud platform of ThroughTek.

The alarm sounded on August 17 by the cybersecurity firm Mandiant along with cooperation from CISA and ThroughTek. The Red Team of Mandiant revealed the vulnerability in 2020. The flaw poses an immense risk to the security and privacy of an end-user, and it should be well mitigated, as per the post of Mandiant. Unprotected devices like IoT cameras can also be compromised by accessing the UID, and then attacks are largely possible on the basis of the functionality that is exposed by the device.

Nowadays, everyone knows the consequences that can happen if such devices are riddled or misconfigured with vulnerabilities. In February, one vulnerability affected several baby monitors and exposed many live devices that allowed someone to eavesdrop and see a video stream of a camera.

In the August 17 post, researchers Erik Barzdukas, Dillon Franke, and Jake Valletta, who found out the bug, said that no one could compile the list of products or companies affected by this bug provided the way resellers and manufacturers integrated the protocol of Kalay before these devices reach customers. Though they never came up with one definitive affected products list, they advised users to keep their IoT device software as well as applications updated. They also said to use complex passwords for all accounts related to such devices. Mandiant has also recommended that the device's owner avoid connecting with affected devices from untrusted networks like public Wi-Fi.

Mandiant has determined the problem that lies within the registration process of the device. The registration process required 20-byte space on the device, UID for accessing the network. For exploiting the vulnerability, the attackers would require in-depth knowledge about the protocol of Kalay and the capability to produce and send any message. They will also require the hands-on Kalay UIDs that they could easily wriggle away through other vulnerabilities or social engineering in APIs, said the researchers. Mandiant investigated the ThroughTek UIDs' brute-forcing, but researchers said it took much time as well as resources.

After they access the UIDs, the attackers will then take control over the related affected IoT devices. Whenever the owner tries to get into the device, the UID gets directed to attackers, resulting in a hijack of the devices connected. Mandiant's Jake Valletta said that the owner of the device would experience some sort of lag, and it is the difference that they can easily see. After that, the attacker will continue the connection procedure to steal the password and username of the device.

Credits: For more information about the bug in IoT devices that allows eavesdropping, visit the site.