Cybersecurity Researchers from Mandiant have disclosed that millions of IoT devices operating across the globe were vulnerable to cyber attacks because of a flaw in Kalay Cloud platform software supplied by ThroughTek.
On Tuesday this week, the bug dubbed as CVE-2021-28372 was reported to US Cybersecurity and Infrastructure Security Agency (CISA) by the researchers of FireEye Mandiant. And CISA is expected to release an emergency alert on this note by this weekend.
Analysis found that hackers can start eavesdropping on real time camera feeds through the said flaw detected on the Kalay software platform that is used by many OEMs, who are into the manufacturing of IP cameras, Baby cams, Pet monitoring cameras, digital video recorders and much more.
It is estimated that over 83 million IoT devices could be affected by the Kalay protocol flaw and can generate and send messages and use the victimized devices in social engineering attacks.
ThroughTek has issued a fix of 3.1.10 to the issue and is urging organizations using Kalay to upgrade to the recent version as early as possible. Also, those affected are being requested to enable DTLS that protects data on transmit and use AuthKey that acts as an additional layer for authentication during client connection.
Note– Kalay is a protocol that is used by IoT devices, such as IP cameras and DVRs and other devices, for communication. The real meaning of Kalay is handshake in Taiwan language and was developed to offer a decentralized technology that offers in seamless integration of devices, sensors and system integrators of many known technology brands.