When it comes to common household devices that one has to assess for cybersecurity risk, you might want to prioritize your baby monitor. Recent headlines shed light on the reality that more than 83 million Internet-connected devices like DVRs, security cameras and baby monitors possess a serious security flaw.
The internal vulnerability is found in ThroughTek Kalay, a software development kit that offers a plug-and-play system to connect these kinds of smart devices to their mobile apps. This means the software enables app authentication, transmitting sometimes sensitive data back and forth from app to device, Wired reports.
Keep in mind this software isn’t limited to one specific device brand or manufacturer — meaning the potential threats associated with it are vast and varied.
Identifying the threat
“You build Kalay in, and it’s the glue and functionality that these smart devices need,” Jake Valletta, a director at Mandiant — the security firm that discovered the flaw in 2020 — told Wired. “An attacker could connect to a device at will, retrieve audio and video, and use the remote API to then do things like trigger a firmware update, change the panning angle of a camera, or reboot the device. And the user doesn’t know that anything is wrong.”
Mandiant’s team of researchers pinpointed that the flaw rests in what is called the UID of each device, the unique Kalay identifier that facilities the link between devices and their mobile apps. A cybercriminal who learns the specific UID for a device can essentially reroute the UID and take control of its connection whenever someone tries to access the device.
From your end, if you’re accessing the baby monitor app to connect to the device, there might be a tiny delay, but it will otherwise function as it normally would. Unbeknownst to you, the hacker could be surreptitiously intercepting the connection. This means they could access passwords and usernames, operating the device remotely.
The implications are grim. A hacker could access an IP camera and embed themselves further, spying on a user through the video feed. They could even remotely operate the device, shutting down feeds at will and installing malware.
Defending against this kind of cyberattack
The Cybersecurity and Infrastructure Security Agency, part of the United States government, cautions that IOT device users “take defensive measures to minimize the risk of exploitation of this vulnerability.”
Wired reports that if you have one of these devices you should make sure you’re at least running Kalay version 3.1.10, originally made available in 2018, or more recent versions. Unfortunately, this doesn’t mean the vulnerability is automatically corrected. The onus is on manufacturers to turn on two optional Kalay features. One is encrypted communication protocol DTLS and the other is API authentication mechanism AuthKey.
“We have been informed by Mandiant of a vulnerability … which could permit a malicious third-party unauthorized access to sensitive information, and we have notified our customers and assisted the customers who used the outdated SDK to update the firmware of the devices,” Yi-Ching Chen, a product security incident response team member at ThroughTek, told Wired.
Peter Cavicchia II 