New IoT Device Vulnerability Announced

Mandiant, the Department of Homeland Security'and IoT provider ThroughTek have disclosed a critical vulnerability affecting millions of IoT devices.

Lauren Horwitz

August 18, 2021

1 Min Read
hacker man broken lock security by hand cyber crime concept
hacker man broken lock security by hand cyber crime conceptGetty Images

Mandiant, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and Internet of Things provider ThroughTek have disclosed a critical vulnerability affecting millions of IoT devices that could let attackers spy on video and audio feeds from Web cameras, baby monitors, and other devices.

CVE-2021-28372 was discovered by Mandiant’s Jake Valletta, Erik Barzdukas, and Dillon Franke, and it exists in several versions of ThroughTek’s Kalay protocol.

The Kalay protocol is implemented as a software development kit (SDK) that is built into client software, such as a mobile or desktop application, and networked IoT devices such as smart cameras. ThroughTek claims to have more than 83 million active devices and at least 1.1 billion monthly connections on its platform, and its clients include IoT camera manufacturers, smart baby monitors, and digital video recorder (DVR) products.

This isn’t the first ThroughTek flaw disclosed this year. In May 2021, researchers with Nozomi Networks disclosed a security camera vulnerability affecting a software component from ThroughTek. Unlike this flaw, CVE-2021-28372 allows attackers to communicate with devices remotely and in doing so, control devices and potentially conduct remote code execution.

Check out the full story on Dark Reading.

About the Author

Lauren Horwitz

Lauren Horwitz is a senior content director on Channel Futures, Channel Partners and IoT World Today.

Sign Up for the Newsletter
The most up-to-date news and insights into the latest emerging technologies ... delivered right to your inbox!

You May Also Like