PhonAndroid Camera, baby monitor: a flaw allows hackers to spy on millions of users
A critical security breach threatens millions of connected objects around the world. According to our colleagues at Wired, this vulnerability makes it possible to access live video and audio streams, or even to take full control of a device remotely. Problem, this flaw is present in a software development kit used by more than 80 million connected objects.
Our connected objects are regularly the target of various threats. There is no shortage of stories on this subject, like these sex toys riddled with security flaws, or even these cheap connected doorbells that are particularly easy to hack. Only, and as our colleagues from the Wired site explain, the current threat is not to be taken lightly.
According to computer security researchers from Mandiant, a vulnerability is hidden in more than 80 million connected objects around the world. It concerns cameras, digital recorders, doorbells, and even baby monitors. As they explain, this flaw is in a software development kit dubbed ThroughTek Kalay.
A flaw that threatens millions of connected objects
This kit, used by millions of connected objects, provides an out-of-the-box system for connecting smart devices to their corresponding mobile applications. In other words, the Kalay platform acts as a gateway between a device and its Android or iOS application. In particular, it manages authentication and sends commands and data in both directions.
According to Jake Valleta, director of research at Mandiant, this flaw allows “an attacker to connect to a device at will, retrieve audio and video data and use the remote API to trigger a firmware update, change the camera angle or restart the device. And the user does not know that something is wrong”.
After investigating, Mandiant experts determined that the flaw lies in the registration mechanism between the devices and their mobile apps. This basic connection is based on the UID, a unique identifier provided by Kalay. In fact, an attacker who managed to obtain a device's UID, either through social engineering methods or via a manufacturer's data leak, would be able to re-register the UID and hijack the connection. during the next legitimate attempt to access the target device.
Also read: More than 100 million connected objects are threatened by critical security breaches!
A patch has been deployed, but...
From the user's point of view, he would only notice a slight slowdown for a few seconds, before triggering his device normally. The attacker, on the other hand, could recover special identifiers, such as a unique and random user name and password determined by each manufacturer. These two data in hand, then free to control the device remotely via the Kalay platform.
So far, Mandiant researchers say there is no evidence that this flaw has been exploited. For its part, ThroughTek Kalay has released a patch. However, it is up to the many manufacturers to in turn deploy this patch on their respective devices. Which can take a long time.
Source: Wired