If you haven't updated your ThroughTek DVR since 2018 do so now, warns Mandiant as critical vuln surfaces

Callooh! Kalay! Outdated SDK component poses threat, says intel firm

A critical vulnerability affecting tens of millions of digital video recorders powering baby monitors and CCTV systems across the world has been uncovered by Mandiant, which claims the vuln allows for unauthorised viewing of live camera footage.

The vuln exists in Chinese IoT vendor ThroughTek's Kalay communication protocol, the researchers claim, adding that malicious users could exploit the vuln to remotely access victims' DVRs.

Exploiting the vuln for real, however, involves carrying out a man-in-the-middle attack: meaning the attacker needs to first obtain your home or office Wi-Fi password, or for the user to do something like open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network.

While the vulnerability is bad, and potentially affects up to 83 million DVRs using the Kalay protocol worldwide, there are some straightforward controls on network access (mostly implementing strong passwords) anyone can carry out to help make it less likely.

"Unlike the vulnerability published by researchers from Nozomi Networks in May 2021 (also in coordination with CISA), this latest vulnerability allows attackers to communicate with devices remotely," warned Mandiant Threat Intelligence today. "As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution."

Tracked as CVE-2021-28732, the vuln is rated 9.6 out of 10 on the CVSSv3.1 severity scale. ThroughTek boasts 83 million active users – though the company said it had been aware of this flaw, encouraging customers to patch it since 2018.

How does the attack work?

ThroughTek's Kalay protocol is "implemented as a Software Development Kit ('SDK') which is built into client software (e.g. a mobile or desktop application) and networked IoT devices, such as smart cameras", said Mandiant in a blog post.

Kalay requires only a device unique identity number (UID) to provision a new DVR on a network. An attacker who obtains that UID can maliciously register their own device in place of the original, meaning all connection requests intended for the original go to the attacker instead.

When the user tries to access the DVR through the Kalay protocol (say, via a mobile app management interface), the DVR's username and password are transmitted to the registered UID. By MITM'ing these details, the attacker can forward on the connection request and examine the device's video and audio feed at their leisure.

With the access credentials for the DVR in the attacker's hands, that device could potentially be used for further attacks – but their severity depends whether the DVR vendor did something silly such as reusing admin credentials across all its devices. ThroughTek is a software vendor, meaning these potential attacks become a study in case-by-case compromise rather than a blanket attack vector.

Kalay UIDs are obtained from an API hosted by ThroughTek, said Mandiant, and reverse engineering these was so non-trivial the company didn't attempt that. Discovering the vuln required reverse-engineering the entire Kalay protocol, it added.

ThroughTek PSIRT member Yi-Ching Chen told The Register the company had "assisted the customers who used the outdated SDK to update the firmware of the devices with a patch fix released in late 2018."

"For the past three years, we have been informing our customers to upgrade their SDK," he added. "Some old devices lack OTA function which makes [firmware] upgrades impossible. In addition, we have customers who don't want to enable DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade."

Mandiant advised users to upgrade the Kalay SDK to version or above and to enable DTLS (datagram transport layer security; TLS for video streams, basically) and Kalay's Authkey technology.

DVRs have long been known as juicy targets for the maliciously inclined; in 2017 the SANS Institute warned that DVRs were a specific target for spray-and-pray login attempts using known lists of default credentials. ®

Similar topics

Other stories you might like

  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Iran, China-linked gangs join Putin's disinformation war online
    They're using the invasion 'to take aim at the usual adversaries,' Mandiant told The Reg

    Pro-Beijing and Iran miscreants are using the war in Ukraine to spread disinformation that supports these countries' political interests — namely, advancing anti-Western narratives – according to threat-intel experts at Mandiant.

    Additionally, Iranian cyber-campaigns are using Russia's invasion of its neighbor to take aim at Saudi Arabia and Israel, the researchers found.

    In a new report published today, Mandiant's Alden Wahlstrom, Alice Revelli, Sam Riddell, David Mainor and Ryan Serabian analyze several information operations that the team has observed in its response to the conflict in Ukraine. It also attributes these campaigns to actors that the threat researchers say are operating in support of nation-states including Russia, Belarus, China and Iran.

    Continue reading
  • Cyber-spies target Microsoft Exchange to steal M&A info
    If a network snoop probes like a Kremlin agent, exploits like a Kremlin agent, it might be...

    A cyber-spy group is targeting Microsoft Exchange deployments to steal data related to mergers and acquisitions and large corporate transactions, according to Mandiant.

    The infosec giant's researchers have dubbed the cyber-espionage threat group UNC3524. 

    And while its techniques overlap with those used by what's said to be "multiple" Russia-based cyber-spies, including the Kremlin-backed gangs accused of meddling in US elections and hijacking SolarWinds' software updates, Mandiant says it can't conclusively link UNC3524 to a previously seen advanced persistent threat group.

    Continue reading

Biting the hand that feeds IT © 1998–2022