Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million IoT-enabled devices.

Notably, ThroughTek Kalay’s influence emphasizes the importance of protecting homes, companies, and integrators alike with its widespread presence in security cameras and other devices.

The affected cameras are the Roku Indoor Camera SE, Wyze Cam v3, and Owlet Cam v1 and v2.

When combined, the identified vulnerabilities tracked as CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324 allow for both remote code execution to fully compromise the victim device and unauthorized root access from within the local network.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

“When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote code execution to completely subvert the victim device”, BitDefender researchers shared with Cyber Security News.

Overview Of The Significant Vulnerabilities

CVE-2023-6321 Owlet Camera OS Command Injection

This vulnerability enables the complete compromise of the device by enabling an authorized user to execute system commands as the root user.

“An attacker can make authenticated requests to trigger this vulnerability,” reads the advisory.

CVE-2023-6322 Stack-Based Buffer Overflow

Through a stack-based buffer overflow vulnerability in the handler of an IOCTL message—a feature commonly used to configure motion detection zones in cameras—attackers can obtain root access. 

This is a vulnerability unique to certain gadgets with motion detection capabilities.

CVE-2023-6323 ThroughTek Kalay SDK Insufficient Verification

This vulnerability presents a way for a local attacker to gain the AuthKey secret without authorization, hence facilitating an attacker’s initial connection to the victim’s device.

CVE-2023-6324 ThroughTek Kalay SDK Error In Handling The PSK Identity

This takes advantage of a flaw that lets attackers infer the pre-shared key for a DTLS session, which is a necessary requirement to establish a connection and communicate with the target devices.

Affected Vendors

The Roku Indoor Camera SE, Wyze Cam v3, and Owlet Cam v1 and v2 have been identified as the affected cameras.


Bitdefender reported these vulnerabilities to ThroghTek on October 19, 2023, and the vendor has subsequently patched them.

It is advised that users of the affected devices ensure they have updated every update that is available. 

On-Demand Webinar to Secure the Top 3 SME Attack Vectors: Watch for Free


Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago