Two major security flaws affecting millions of IoT devices have come to light this week. |

Virginia-based Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity & Infrastructure Security Agency (CISA) that affects millions of IoT devices that use the ThroughTek Kalay network. And German researchers at IoT Inspector found issues in an SDK from Taiwanese semiconductor company Realtek that can affect hundreds of thousands of devices.

The vulnerability discovered by researchers on Mandiant’s Red Team in late 2020 can compromise remotely IoT devices, resulting in the ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality. These attacks could include actions that would allow an adversary to control affected devices remotely.

ThroughTek advertises having more than 83 million active devices and over 1.1 billion monthly connections on its platform. ThroughTek’s clients include IoT camera manufacturers, smart baby monitors and digital video recorders.

This vulnerability allows attackers to communicate with devices remotely. As a result, further attacks could include actions that would allow an adversary to control affected devices remotely and could potentially lead to remote code execution.

The Kalay protocol is implemented as a software development kit (SDK) which is built into client software such as a mobile or desktop application and networked IoT devices, such as smart cameras. Due to how the Kalay protocol is integrated by OEMs and resellers before devices reach consumers, Mandiant said it was unable to determine a complete list of products and companies affected by the discovered vulnerability.

Mandiant worked with ThroughTek and CISA to disclose this vulnerability and strongly recommends companies using the Kalay platform to follow the guidance provided by ThroughTek and Mandiant.

IoT Inspector said at least 65 vendors were affected by severe vulnerabilities that enable unauthenticated attackers to compromise the target device and execute arbitrary code with the highest level of privilege.

Over the course of a research project focusing on a specific cable modem, IoT Inspector identified that the system was using a dual-SoC design. The main SoC was running a Linux system, while the second SoC – a dedicated Realtek RTL819xD chipset implementing all the access point functions – was found to be running another, stripped-down Linux system from Realtek.

Realtek chipsets are found in many embedded devices in the IoT space. RTL8xxx SoCs – which provide wireless capabilities – are common.

“We therefore decided to spend time identifying binaries running on the RTL819xD on our target device, which expose services over the network and are provided by Realtek themselves,” said a statement from IoT Inspector. “Such binaries are packaged as part of the Realtek SDK, which is developed by Realtek and provided to vendors and manufacturers who use the RTL8xxx SoCs.”

Supported by IoT Inspector’s firmware analysis platform, the researchers performed vulnerability research on those binaries and identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP, and a custom network service from Realtek.

By exploiting these vulnerabilities, remote unauthenticated attackers can fully compromise the target device and execute arbitrary code with the highest level of privilege.

“We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the internet,” said the statement.

Affected devices implement wireless capabilities and cover a wide spectrum of use cases: from residential gateways, travel routers, wifi repeaters, IP cameras to smart lightning gateways or even connected toys.

Realtek has been asked to comment.