Original Issue Date: August 23, 2021
Severity Rating: HIGH
Software Affected
The following versions of Kalay P2P Software Development Kit (SDK) are affected:
ThroughTeks Kalay Platform SDK version 3.1.10 or prior
SDK versions with the “nossl” tag
Firmware that does not use AuthKey for IOTC connections
Firmware using the AVAPI module without enabling DTLS
Firmware using P2PTunnel or RDT
Overview
An Information Disclosure Vulnerability exists in ThroughTek “Kalay” protocol which allows a remote attacker to access sensitive information (such as camera feeds) or perform remote code execution and complete takeover of the victim’s device.
Description
This vulnerability exists in the ThroughTek Kalay protocol, a P2P IoT protocol developed by company ThroughTek and implemented as an SDK built into software and networked IoT devices. An attacker could exploit this vulnerability by accessing victim Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. An attacker could then maliciously register this UID on the Kalay network and impersonate the victim device.
Successful exploitation of this vulnerability could allow an attacker to hijack the victims connection, exposes sensitive content to eavesdropping threat actors and enable attackers to take over control of devices, perform remote code execution and unauthorized access to sensitive information.
Solution
If SDK is Version 3.1.10 and above, enable authkey and DTLS.
If SDK is any version prior to 3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.
References
US CERT
https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01
FirEye
https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0020/FEYE-2021-0020.md
Disclaimer
The information provided herein is on “as is” basis, without warranty of any kind.