Updated as of 27.10.21 with information about about vulnerability patching from the affected vendors.

——–

This research was performed by Matan Borenshtein and Alex Gelman from SAM’s Data Department.

Take a quick mental inventory of the smart devices in your life. This includes gadgets located throughout your home, your office, and even those that you wear wrapped around your wrist. Smart cameras have become a staple in many of our homes and working environments, and we rely on them for various modes of communication, protection, and surveillance of our surroundings. So what happens when these gadgets become compromised and fall into the hands of cyber criminals?

A vulnerability affecting a selection of popular Wi-Fi-connected devices was originally reported by a group of researchers on Mandiant’s Red Team in cooperation with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek. 

In a nutshell, this vulnerability can “enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.” 

What is ThroughTek?

ThroughTek is a provider of machine-to-machine (M2M) solutions for various devices related to anything from surveillance and security systems to smart devices regularly found in one’s home to connected agriculture equipment. FireEye notes that “ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on their platform. ThroughTek’s clients include IoT camera manufacturers, smart baby monitors, and Digital Video (DVR) products.”

How does the ThroughTek vulnerability work?

The ThroughTek vulnerability is located in its Kalay network, which is a protocol implemented as an SDK built into software and networked IoT devices.

Putting it simply, if an Original Equipment Manufacturer (OEM) used the ThroughTek Kalay protocol SDK as part of the software of their devices, the vulnerability in question could allow third parties to gain full access to the Wi-Fi-connected devices that the OEM manufactured.

What does this mean for the people purchasing and using these devices, then? This can include anything from:

• Remotely viewing content streaming from a Wi-Fi camera (in other words, listening to audio and/or watching video)
• Replacing the software on the camera, thereby opening it up to further vulnerabilities
• Enabling the camera to spy on network activity in home or office networks

Digging into the ThroughTek vulnerability with research

Building on the findings from Mandiant and the research performed by FireEye, SAM’s Cyber Research Team has identified a collection of specific devices that connect to the Kalay network, and as a result, each of them were left potentially exposed to the ThroughTek vulnerability.

Some of the identified devices include IoT products commonly found in many homes, like Wi-Fi cameras, network storage devices and doorbells:

• Xiaomi Mi Chuangmi
• Xiaomi “Xiaovv” Cameras
• JOOAN 1080P Wi-Fi Camera
• AirDisk Q3C and Q3X network storage
• Dling Smart Video Doorbell
• Night Owl security cameras
• RaySharp security cameras (No specific model identified)
• Digicube security cameras
• Devices by Tuya

Our team detected this collection of vulnerable devices using the ThroughTek SDK and our device fingerprinting technology.

After identifying the devices, SAM’s security researchers reviewed their network traffic. One interesting finding is that many of the devices that showcase this vulnerability also send networking information that’s typically associated with Chrome running on Windows devices, despite the fact that the devices don’t actually use the Windows operating system.

While there isn’t anything inherently wrong with this network and/or device behavior, it’s typically associated with “sloppy” firmware development.

In other words, the devices’ developer could have simply copy-pasted a piece of software taken directly from the internet without fully validating it and ensuring that it’s the best one for their use.

[The vulnerability discussed above is not present in the IoT devices themselves but rather on the mobile/desktop application. The vendors have since updated the software to patch this vulnerability. SAM recommends owners of these devices update them in order to ensure they’re properly secured.]

Keeping IoT devices secure: A 5G and 21st century challenge

Threats similar to the ThroughTek vulnerability have become increasingly frequent, and it’s not a stretch to say that many of the smart devices that we know and love are targeted on a regular basis.

While many people are becoming aware of privacy and security threats, specifically with regards to their computers and phones, the risks associated with IoT devices remain in the dark. With the exponential rise of IoT device usage, both at home and in the commercial landscape, we expect IoT-related threats to pose a significant challenge in the years to come.

In the upcoming months, we will publish several articles exploring how we — as individuals, as corporates and even IoT OEMs — can improve the security of the IoT devices that we interact with in our daily lives.