“The affected ThroughTek P2P products may be vulnerable to improper access controls,” CISA wrote in its Tuesday advisory. “This vulnerability can allow an attacker to access sensitive information (such as camera feeds) or perform remote code execution. … CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.”
As with many internet-of-things security meltdowns, though, identifying where the bug exists is a far cry from getting it fixed. ThroughTek is only one part of a massive ecosystem that needs to participate in addressing the vulnerability. Manufacturers incorporate Kalay in their products, which may then be bought by another company to be sold with a particular brand name. This means that while ThroughTek offers options that can be enabled to mitigate the flaw, it’s difficult to know exactly how many companies rely on Kalay and need to turn these features on—if they are even running a new enough version of the SDK to do it.
The researchers are not releasing details about their analysis of the Kalay protocol or the specifics of how to exploit the vulnerability. They say they haven’t seen evidence of real-world exploitation, and their goal is to raise awareness about the problem without handing real attackers a road map.
To defend against exploitation, devices need to be running Kalay version 3.1.10, originally released by ThroughTek in late 2018, or higher. But even the current Kalay SDK version (3.1.5) does not automatically fix the vulnerability. Instead, ThroughTek and Mandiant say that to plug the hole manufacturers must turn on two optional Kalay features: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.
“We have been informed by Mandiant of a vulnerability … which could permit a malicious third-party unauthorized access to sensitive information, and we have notified our customers and assisted the customers who used the outdated SDK to update the firmware of the devices,” says Yi-Ching Chen, a product security incident response team member at ThroughTek.
Chen adds, though, that it has been difficult to get customers to update en masse—an observation that tracks with Mandiant’s findings. Three years after releasing a version of the SDK that contains options for stopping these types of attacks, Mandiant researchers stumbled on a massive population of devices that are still vulnerable.
“For the past three years, we have been informing our customers to upgrade their SDK,” ThroughTek’s Chen says. “Some old devices lack OTA [over the air update] function which makes the upgrade impossible. In addition, we have customers who don’t want to enable the DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade.”
Mandiant’s Valletta says that ThroughTek’s late 2018 SDK version didn’t come with adequate information for customers about how critical it was to update and proactively enable the two protective features. The company recently issued an alert in response to Mandiant’s research that is more forceful.
“This is not a quick fix for many of ThroughTek’s customers, so when it’s posed as an optional update, we anticipate many of them did not prioritize it, as they did not realize it was tied to mitigating a critical vulnerability,” Valletta says.