Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things (IoT) devices, one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors. The bug is in ThroughTek’s Kalay network, used in 83 million devices.
This vulnerability, discovered by researchers on Mandiant’s Red Team, tracked as CVE-2021-28372 and FEYE-2021-0020 and assigned a critical CVSS3.1 base score of 9.6, was found in devices connected via ThroughTek’s Kalay IoT cloud platform.
The company explained that the vulnerability would enable cyber adversaries to remotely compromise the victims IoT device, resulting in the ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.
It has been strongly advised that users of IoT devices keep their device software and applications up to date by using complex, unique passwords for any accounts associated with these devices and to avoid connecting to affected devices from untrusted networks, such as public Wi-Fi.