Household indoor digital surveillance webcam showing supply chain vulnerability in IoT devices

Supply Chain Vulnerability in Cloud Connectivity Platform Threatens 83 Million IoT Devices

A supply chain vulnerability in the ThroughTek “Kalay” network, a cloud-based communications platform used by an estimated 83 million Internet of Things (IoT) devices, could allow for remote compromise and control to include monitoring audio and video feeds and exposing passwords.

The good news is that the attack is hypothetical, discovered in late 2020 by security researchers. The bad news is that now it has been disclosed, it will be up to device manufacturers to ensure that they make the recommended changes to secure their Kalay connections, and it may not be possible to secure certain devices.

Security researchers: “Impossible” to compile complete list of impacted IoT devices

The Kalay supply chain vulnerability was discovered by Mandiant’s Red Team in late 2020, though kept under wraps until a public disclosure was made last week. The vulnerability is extremely serious due to both the massive amount of devices that use the platform and the totality of access that a successful attacker would have. Once penetrated, attackers could view camera feeds and listen in on locations via smart baby monitors. They could also take remote control of all sorts of devices, but it’s difficult to estimate exactly how much physical damage they could do. That’s because ThroughTek estimates it has about 1.1 billion active connections every month, and devices integrate its protocol at the time of manufacture (or equipment “white labeling” for resale) with apparently no comprehensive records of which are using it.

The ThroughTek name may sound familiar, as it was just three months ago that security researchers with Nozomi Networks published a different supply chain vulnerability that also involved the company. While that one also potentially allowed access to camera feeds, it was limited to CCTV camera products and did not allow for direct access to device controls. This new vulnerability makes possible complete control of any type of IoT device using the Kalay network, and also creates the possibility of remote code execution that could allow for further movement into the networks that the IoT devices are connected to.

One piece of good news is that there are some limits on accessibility for would-be attackers. A hacker would need the target device’s unique identifier (UID), generally not available without social engineering a target into revealing it or exploiting some sort of unrelated vulnerability to access the device. Mandiant also says that attackers need “comprehensive” knowledge of the Kalay protocol to craft the messages needed to facilitate the attack. Nevertheless, Mandiant is advising companies to update the SDK and enable specific Kalay security features to eliminate the possibility of being breached by this supply chain vulnerability.

This particular supply chain vulnerability is roughly comparable to the “SIM swap” attacks that allow hackers to remotely take over phone numbers without access to the actual device. It is possible for attackers to register IoT device UIDs on the Kalay network, overwriting the previous registration and redirecting any future device communications to the attacker.

Supply chain vulnerabilities, IoT device security infirmities remain common

Supply chain vulnerabilities have been on the rise as a means of indirectly penetrating high-value targets in recent years; IoT device security has been a persistent problem since “smart gadgets” first hit the market.

ThroughTek’s two different issues with cameras and baby monitors were not even the first major supply chain vulnerability of this type this year. In February, about 110,000 camera systems using the Real-Time Streaming Protocol (RTSP) system were found to be exposed to the internet allowing for anyone to drop in and view live streams with little effort.

This particular supply chain vulnerability introduces some new elements, however. IoT devices generally have poor security, but this vulnerability exists in a common SDK used mostly to interface them with mobile apps. While an individual compromised IoT device might not allow an attacker to move much farther in the network, the possibilities are greatly increased if they are able to compromise an app as part of the process. Another issue here is that numerous IoT devices will likely lack over-the-air (OTA) capabilities needed to push the updated version out. Some clients also resist updating SDKs because of a tendency to break their products or to slow them down.

There are no easy answers to this problem in an industry that competes largely on cost-cutting and bringing new devices to market as quickly as possible, two things that tend to preclude security concerns. Both businesses and households have been ramping up the use of IoT devices in all facets of life in recent years, but the pandemic served as a major accelerant and the increasing rollout of 5G is expected to bring even more smart devices to every corner of the world. Robert Prigge, CEO of Jumio, sees the adoption of biometric security as the most realistic answer in the near term: “While this vulnerability is harmful to anyone with a smart device linked to the Kalay platform, it’s particularly concerning that baby monitor feeds are involved. Through a simple social engineering tactic like phishing, hackers can extract an IoT device’s identifier and obtain its unique credentials. From there, criminals can take full remote control of the device to watch live video feeds, install malware or download footage and leverage it for malicious purposes. While this vulnerability is a serious lapse in security, usernames and passwords in general can no longer be trusted as a secure form of authentication in today’s fraud environment. Instead, companies must leverage biometric authentication – using a person’s unique human traits to verify identity – to ensure smart devices and their connected online accounts can only be accessed by authorized users.”