It appears you have not yet registered with our community. To register please click here...

Go Back [M] > Madshrimps > WebNews
Critical vulnerability emerges on Kalay IoT cloud platform Critical vulnerability emerges on Kalay IoT cloud platform
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Critical vulnerability emerges on Kalay IoT cloud platform
Thread Tools
Old 19th August 2021, 06:53   #1
[M] Reviewer
Stefan Mileschin's Avatar
Join Date: May 2010
Location: Romania
Posts: 131,105
Stefan Mileschin Freshly Registered
Default Critical vulnerability emerges on Kalay IoT cloud platform

Rain expected

Security researchers are warning of a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek's Kalay IoT cloud platform.

The security problem impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connections and communication with a corresponding app.

A remote attacker could use the bug to gain access to the live audio and video streams, or to take control of the vulnerable device.

Insecurity expects at Mandiant's Red Team discovered the vulnerability at the end of 2020 and worked with the US Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications.

Mandiant's Jake Valletta, Erik Barzdukas, and Dillon Franke found that registering a device on the Kalay network required only the device's unique identifier (UID).

A Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device. An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts.

This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data.
Stefan Mileschin is offline   Reply With Quote

Similar Threads
Thread Thread Starter Forum Replies Last Post
Western Digital won’t fix a vulnerability found in older My Cloud OS3 storage devices Stefan Mileschin WebNews 0 5th July 2021 08:39
Xanadu launches quantum cloud platform Stefan Mileschin WebNews 0 4th September 2020 11:21
Morpheus Data rolls out new multi-cloud platform Stefan Mileschin WebNews 0 2nd November 2018 12:40
Evernote is getting faster thanks to Google's Cloud Platform Stefan Mileschin WebNews 0 13th February 2017 06:51
AMD Radeon Technology Will Be Available on Google Cloud Platform in 2017 Stefan Mileschin WebNews 0 17th November 2016 20:41
Adobe warns users to patch a critical Flash vulnerability Stefan Mileschin WebNews 0 16th March 2016 06:06
Adobe warns of 'critical vulnerability' in some versions of Flash Stefan Mileschin WebNews 0 16th October 2015 10:36
Critical Vulnerability In Wikipedia Found And Fixed Stefan Mileschin WebNews 0 30th January 2014 10:23
Western Digital Launches My Cloud Consumer NAS Platform Stefan Mileschin WebNews 0 3rd October 2013 12:22
AMD Demonstrates Optimum Cloud Computing Platform at Microsoft PDC 2008 jmke WebNews 0 28th October 2008 09:32

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT +1. The time now is 08:05.

Powered by vBulletin® - Copyright ©2000 - 2022, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO