The rising security breaches and vulnerability exploits on the Internet of Things (IoT) indicate that connected devices are never 100% secure. Security researchers from Mandiant, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), recently discovered a critical flaw that affects millions of IoT devices connected via ThroughTek’s Kalay network.
Tracked as CVE-2021-28372 and FEYE-2021-0020, the flaw could allow remote hackers to eavesdrop on live video and audio streams and take over control of the vulnerable devices, including connected webcams, baby monitors, and digital video recorders. It is estimated that over 83 million IoT devices are vulnerable to this flaw. Successful exploitation of the flaw could allow attackers to remotely control the targeted IoT devices to launch remote code execution attacks.
Proof of Concept
In a video, Mandiant explained how attackers could exploit the CVE-2021-28372 flaw to break into IoT devices.
Video Courtesy: Mandiant
“With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls. Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise. Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (ASLR), Platform Independent Execution (PIE), stack canaries, and NX bits,” Mandiant stated in a post.
Speaking exclusively with CISO MAG, Dillon Franke, Associate Consultant, Proactive Services, Mandiant Consulting said, “Mandiant envisions cybercriminals and nation state actors alike being interested in this vulnerability. Cybercriminals could use a working exploit to steal sensitive data from victims or extort them into paying money, while nation-state actors could potentially use this vulnerability to perform mass surveillance of Kalay network users.”
Mandiant urged users to update their devices as early as possible to avoid any potential cyber intrusions. It also recommended users to change the passwords for any associated accounts. In addition, CISA released an Industrial Control Systems (ICS) advisory explaining the severity of the vulnerability.
CISA also recommended security measures to mitigate the risk of exploitation of the flaw. These include:
- Minimize network exposure for all control system devices and ensure that they are not accessible online.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also, remember VPN is only as secure as its connected devices.
- Perform proper impact analysis and risk assessment before deploying defensive measures.
IoT vulnerabilities pose a severe risk to end user data privacy. It’s necessary to secure IoT devices as threat actors can intercept other connected devices in the same grid.