Skip links

If you haven’t updated your ThroughTek DVR since 2018 do so now, warns Mandiant as critical vuln surfaces

A critical vulnerability affecting tens of millions of digital video recorders powering baby monitors and CCTV systems across the world has been uncovered by Mandiant, which claims the vuln allows for unauthorised viewing of live camera footage.

The vuln exists in Chinese IoT vendor ThroughTek’s Kalay communication protocol, the researchers claim, adding that malicious users could exploit the vuln to remotely access victims’ DVRs.

Exploiting the vuln for real, however, involves carrying out a man-in-the-middle attack: meaning the attacker needs to first obtain your home or office Wi-Fi password, or for the user to do something like open a remote management mobile app while on a poorly secured coffee shop Wi-Fi network.

While the vulnerability is bad, and potentially affects up to 83 million DVRs using the Kalay protocol worldwide, there are some straightforward controls on network access (mostly implementing strong passwords) anyone can carry out to help make it less likely.

“Unlike the vulnerability published by researchers from Nozomi Networks in May 2021 (also in coordination with CISA), this latest vulnerability allows attackers to communicate with devices remotely,” warned Mandiant Threat Intelligence today. “As a result, further attacks could include actions that would allow an adversary to remotely control affected devices and could potentially lead to remote code execution.”

Tracked as CVE-2021-28732, the vuln is rated 9.6 out of 10 on the CVSSv3.1 severity scale. ThroughTek boasts 83 million active users – though the company said it had been aware of this flaw, encouraging customers to patch it since 2018.

How does the attack work?

ThroughTek’s Kalay protocol is “implemented as a Software Development Kit (‘SDK’) which is built into client software (e.g. a mobile or desktop application) and networked IoT devices, such as smart cameras”, said Mandiant in a blog post.

Kalay requires only a device unique identity number (UID) to provision a new DVR on a network. An attacker who obtains that UID can maliciously register their own device in place of the original, meaning all connection requests intended for the original go to the attacker instead.

When the user tries to access the DVR through the Kalay protocol (say, via a mobile app management interface), the DVR’s username and password are transmitted to the registered UID. By MITM’ing these details, the attacker can forward on the connection request and examine the device’s video and audio feed at their leisure.

With the access credentials for the DVR in the attacker’s hands, that device could potentially be used for further attacks – but their severity depends whether the DVR vendor did something silly such as reusing admin credentials across all its devices. ThroughTek is a software vendor, meaning these potential attacks become a study in case-by-case compromise rather than a blanket attack vector.

Kalay UIDs are obtained from an API hosted by ThroughTek, said Mandiant, and reverse engineering these was so non-trivial the company didn’t attempt that. Discovering the vuln required reverse-engineering the entire Kalay protocol, it added.

ThroughTek PSIRT member Yi-Ching Chen told The Register the company had “assisted the customers who used the outdated SDK to update the firmware of the devices with a patch fix released in late 2018.”

“For the past three years, we have been informing our customers to upgrade their SDK,” he added. “Some old devices lack OTA function which makes [firmware] upgrades impossible. In addition, we have customers who don’t want to enable DTLS because it would slow down the connection establishment speed, therefore are hesitant to upgrade.”

Mandiant advised users to upgrade the Kalay SDK to version or above and to enable DTLS (datagram transport layer security; TLS for video streams, basically) and Kalay’s Authkey technology.

DVRs have long been known as juicy targets for the maliciously inclined; in 2017 the SANS Institute warned that DVRs were a specific target for spray-and-pray login attempts using known lists of default credentials. ®