The researchers are not releasing details about their analysis of the Kalay protocol or the specifics of how to exploit the vulnerability. They say they haven’t seen evidence of real-world exploitation, and their goal is to raise awareness about the problem without handing real attackers a road map.
To defend against exploitation, devices need to be running Kalay version 3.1.10, originally released by ThroughTek in late 2018, or higher. But even the current Kalay SDK version (3.1.5) does not automatically fix the vulnerability. Instead, ThroughTek and Mandiant say that to plug the hole manufacturers must turn on two optional Kalay features: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.
“We have been informed by Mandiant of a vulnerability … which could permit a malicious third-party unauthorized access to sensitive information, and we have notified our customers and assisted the customers who used the outdated SDK to update the firmware of the devices,” says Yi-Ching Chen, a product security incident response team member at ThroughTek.
Chen adds, though, that it has been difficult to get customers to update en masse—an observation that tracks with Mandiant’s findings. Three years after releasing a version of the SDK that contains options for stopping these types of attacks, Mandiant researchers stumbled on a massive population of devices that are still vulnerable.
“For the past three years, we have been informing our customers to upgrade their SDK,” ThroughTek’s Chen says. “Some old devices lack OTA [over the air update] function which makes the upgrade impossible. In addition, we have customers who don’t want to enable the DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade.”
Mandiant’s Valletta says that ThroughTek’s late 2018 SDK version didn’t come with adequate information for customers about how critical it was to update and proactively enable the two protective features. The company recently issued an alert in response to Mandiant’s research that is more forceful.
“This is not a quick fix for many of ThroughTek’s customers, so when it’s posed as an optional update, we anticipate many of them did not prioritize it, as they did not realize it was tied to mitigating a critical vulnerability,” Valletta says.
Researchers from Nazomi Networks also recently disclosed a different Kalay vulnerability that could be exploited to access live audio and video feeds as well. And researchers have warned for years about the potential security implications of prefab IoT platforms like Kalay.
For regular users who may already have vulnerable devices in their homes or businesses, there’s no complete list of impacted devices to work off of. You should simply install any available software updates on your embedded devices whenever possible. Mandiant’s Valletta says he’s hopeful that today’s public disclosure will help raise awareness and get more large vendors to update Kalay in their products. But he says, realistically, fixes may never come to devices made by smaller companies, those who don’t invest heavily in security, or those who buy their devices from white label providers and then slap a brand name on.
“I think there is light at the end of the tunnel, but I’m hesitant to say that everyone is going to patch,” Valletta says. “We’ve been doing this for years, and we see a lot of patterns and kinds of bugs over and over again. Internet-of-things security still has a lot of catching up to do.”
Updated August 17, 2021 at 1pm ET to include comment from ThroughTek and additional context about mitigations from Mandiant.
More Great WIRED Stories