Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million IoT-enabled devices.

Notably, ThroughTek Kalay’s influence emphasizes the importance of protecting homes, companies, and integrators alike with its widespread presence in security cameras and other devices.

The affected cameras are the Roku Indoor Camera SE, Wyze Cam v3, and Owlet Cam v1 and v2.

When combined, the identified vulnerabilities tracked as CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324 allow for both remote code execution to fully compromise the victim device and unauthorized root access from within the local network.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

“When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote code execution to completely subvert the victim device”, BitDefender researchers shared with Cyber Security News.

Overview Of The Significant Vulnerabilities

CVE-2023-6321 Owlet Camera OS Command Injection

This vulnerability enables the complete compromise of the device by enabling an authorized user to execute system commands as the root user.

“An attacker can make authenticated requests to trigger this vulnerability,” reads the advisory.

CVE-2023-6322 Stack-Based Buffer Overflow

Through a stack-based buffer overflow vulnerability in the handler of an IOCTL message—a feature commonly used to configure motion detection zones in cameras—attackers can obtain root access. 

This is a vulnerability unique to certain gadgets with motion detection capabilities.

CVE-2023-6323 ThroughTek Kalay SDK Insufficient Verification

This vulnerability presents a way for a local attacker to gain the AuthKey secret without authorization, hence facilitating an attacker’s initial connection to the victim’s device.

CVE-2023-6324 ThroughTek Kalay SDK Error In Handling The PSK Identity

This takes advantage of a flaw that lets attackers infer the pre-shared key for a DTLS session, which is a necessary requirement to establish a connection and communicate with the target devices.

Affected Vendors

The Roku Indoor Camera SE, Wyze Cam v3, and Owlet Cam v1 and v2 have been identified as the affected cameras.

Recommendation

Bitdefender reported these vulnerabilities to ThroghTek on October 19, 2023, and the vendor has subsequently patched them.

It is advised that users of the affected devices ensure they have updated every update that is available. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free