A critical vulnerability in the Kalay cloud platform for IoT devices disclosed this week could enable an attacker to impersonate any device, collect user credentials, and execute commands on the device.
The Kalay platform, provided by ThroughTek, is a cloud network that provides a communications network for IoT devices, including IP cameras, DVRs, and other devices. It uses a proprietary protocol and SDK, and researchers from Mandiant recently discovered a critical flaw in the SDK that could give an attacker complete control over a vulnerable device. However, there are some considerable hurdles to exploitation, including the ability to gain valid user credentials.
“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs,” Mandiant’s advisory says.
The Mandiant researchers went through a long and complex process of understanding the Kalay protocol and building their own interface for it, and then vegan looking for weaknesses. After discovering that the device registration process for the network requires only a 20-byte unique identifier, the researchers began looking for ways to abuse tha process.
“If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device."
“If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device,” the advisory says.
“With the compromised credentials, an attacker can use the Kalay network to remotely connect to the original device, access AV data, and execute RPC calls. Vulnerabilities in the device-implemented RPC interface can lead to fully remote and complete device compromise. Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (“ASLR”), Platform Independent Execution (“PIE”), stack canaries, and NX bits.”
The results of an attacker compromising a vulnerable device on the Kalay network could be quite serious. An adversary who gained access to a vulnerable IP camera, for example, may be able to watch video and listen to audio in real time. Throughtek has released a new version of the SDK to address the vulnerability--version 3.1.10--and both Mandian and ThroughTek recommend that vendors that use the Kalay protocol upgrade to the fixed version.