Critical vulnerability found in ThroughTek Kalay P2P SDK; can remotely exploit millions of IoT devices

A critical security vulnerability that affects IoT devices has been found in the ThroughTek Kalay network, and can potentially pose a huge risk to millions of such devices, according to a security analyst report. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a uniquely assigned identifier (UID) and further attacks are possible depending on the functionality exposed by a device.

The security risk, detected by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in their ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality. 

Jake Valletta, Erik Barzdukas, and Dillon Franke from Mandiant reported the vulnerability to Cybersecurity and Infrastructure Security Agency (CISA), the U.S. security agency said in its advisory.

A CVSS v3 base score of 9.8 has been calculated and assigned to the ThroughTek Kalay P2P SDK vulnerability. For critical infrastructure operators, this vulnerability could lead to the leakage of sensitive business, production, and employee information, which can be remotely exploited using low attack complexity. 

In June, CISA announced the presence of a security vulnerability in ThroughTek P2P (Peer-to-Peer) SDK that allows cleartext transmission of sensitive information, such as camera audio/video feeds. The vulnerability affects a software component, part of the supply chain for many OEMs (original equipment manufacturers) of consumer-grade security cameras and IoT devices. 

But, unlike the ThroughTek P2P vulnerability, the ThroughTek Kalay vulnerability allows attackers to communicate with devices remotely. This increases the risk surface and could lead to attacks that would allow an adversary to remotely control affected devices, and potentially lead to remote code execution.

The vulnerability within the P2P library is implemented in the SDK up to and including version 3.1.5, according to ThroughTek. “The main concern is that this vulnerability may cause IOTC encryption to be compromised. This vulnerability has been addressed in SDK version 3.1.10 and onwards, which was released in 2018,” the Taiwanese company added in its advisory.

Deployed globally across the communications critical infrastructure sector, an attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages, Mandiant said in a blog post. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs, it added. 

Mandiant researchers analyzed the ThroughTek Kalay protocol using two different approaches. First, the researchers selectively downloaded and disassembled applications from both the Google Play Store and Apple App Store that included ThroughTek libraries. These libraries typically did not contain debugging symbols, which required the team to also perform dynamic analysis with tools such as Frida, gdb, and Wireshark.

In addition, Mandiant purchased various Kalay-enabled devices. The team performed local and hardware-based attacks to obtain shell access, recover firmware images, and perform additional dynamic testing. These techniques included identifying UART/JTAG interfaces, performing chip-off attacks, and exploiting other debugging functionality existing on the devices, it added.

For several months, the researchers developed a fully functional implementation of ThroughTek’s Kalay protocol, which enabled the team to perform key actions on the network, including device discovery, device registration, remote client connections, authentication, and process audio and video (AV) data. Equally as important as processing AV data, the Kalay protocol also implements remote procedure call (RPC) functionality. This varies from device to device but typically is used for device telemetry, firmware updates, and device control.

Having written a flexible interface for creating and manipulating Kalay requests and responses, Mandiant researchers focused on identifying logic and flow vulnerabilities in the Kalay protocol. The vulnerability discussed in this post affects how Kalay-enabled devices access and join the Kalay network. The researchers determined that the device registration process requires only the device’s 20-byte, such as a UID, to access the network. 

In Mandiant’s testing, the UID was given to a Kalay-enabled client, such as a mobile application, from a web API hosted by the company that markets and sells a device model. Mandiant investigated the viability of brute-forcing ThroughTek UIDs and found it to be infeasible due to the necessary time and resources.

With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls. Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise. Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (ASLR), Platform Independent Execution (PIE), stack canaries, and NX bits.

Mandiant and ThroughTek have advised companies using the Kalay protocol to upgrade to at least version 3.1.10, and enable both the DTLS feature to protect data in transit and the AuthKey feature to add another layer of authentication during client connection. Hardening features such as ASLR, PIE, NX, and stack canaries should be enabled on all binaries processing Kalay data, and RPC functions should be treated as untrusted and sanitized appropriately.

Mandiant recommends that IoT device manufacturers apply stringent controls around web APIs used to obtain Kalay UIDs, usernames, and passwords to minimize an attacker’s ability to harvest sensitive materials needed to access devices remotely. Failure to protect web APIs which return valid Kalay UIDs could allow an attacker to compromise a large number of devices, it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.