83 million IoT devices at risk of hacking

The vulnerability could enable threat actors to listen in on private conversations and watch live video streams

A concept visualising IoT security

At least 83 million Internet of Things (IoT) devices around the world could be at risk of hacking, potentially enabling threat actors to listen in on private conversations and watch live video streams from baby monitors and smart cameras.

That's according to new findings from Mandiant, a cyber security company and subsidiary of FireEye.

Mandiant security researchers Jake Valletta, Erik Barzdukas, and Dillon Franke discovered a vulnerability that affects IoT devices that use the Kalay network platform manufactured by Taiwanese IoT and M2M (machine-to-machine) solutions provider ThroughTek.

Tracked as CVE-2021-28372, the vulnerability affects a core component of the Kalay platform, allowing hackers to “listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality”, according to the researchers.

Although Mandiant was not able to pinpoint the affected devices, its researchers noted that ThroughTek has at least 83 million active devices as well as an estimated 1.1 billion monthly connections on its Kalay platform, with all of them potentially being exposed to hackers.

Mandiant disclosed the vulnerability to the US’ Cybersecurity and Infrastructure Security Agency (CISA), which has published an advisory report on the issue that recommends that users disconnect their ThroughTek devices from the internet, isolate them from the business networks, and to only connect to devices through virtual private networks (VPN).

A spokesperson for the UK’s National Cyber Security Centre (NCSC) told IT Pro that it is “aware of this vulnerability”, adding that ThroughTek “has released an update to fix the issue”.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

“Simply using the platform does not automatically make you vulnerable to real-world impact, as additional information that is hard to guess is needed to exploit the vulnerability in an individual device successfully. To maximise protection, the NCSC recommends individuals keep their software up to date by installing the latest vendor updates as soon as practicable,” said the NCSC spokesperson.

The discovery of CVE-2021-28372 by Mandiant comes two months after Nozomi Networks researchers discovered a similar flaw affecting ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet.

The UK government is working on a new law that will force IoT device manufacturers to meet minimum security requirements and banning them from setting easy-to-hack passwords such as ‘admin’ or ‘password’. In April, it was announced that the legislation would also include smartphones.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021
Owner of DDoS for hire sites found guilty of hacking offences
distributed denial of service (DDOS)

Owner of DDoS for hire sites found guilty of hacking offences

17 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021