IoT Cameras Exposed by Chainable Exploits, Millions Affected


The Internet of Things (IoT) promises a world of interconnected devices, but with this connectivity comes a dark side – security vulnerabilities, reveals Bitdefender research shared with Hackread.com ahead of publication on Wednesday.

Bitdefender’s IoT researchers have discovered multiple vulnerabilities in devices powered by ThroughTek’s Kalay Platform (TUTK), a widely used software service for IoT surveillance devices to create dedicated IoT ecosystems. These vulnerabilities put around 100 million+ devices worldwide at risk due to the platform’s extensive presence in IoT integrations.

Vulnerabilities Details

  • CVE-2023-6321 allows an authenticated user to run system commands as the root user to compromise the device fully.
  • CVE-2023-6322 lets attackers gain root access through a stack-based buffer overflow vulnerability in the handler of an IOCTL message, specifically used in camera motion detection zones. 
  • CVE-2023-6323 allows a local attacker to obtain the AuthKey secret, enabling them to establish a preliminary connection to the victim’s device. 
  • CVE-2023-6324 exploits a vulnerability allowing attackers to infer the pre-shared key for a DTLS session, a crucial prerequisite for connecting and communicating with victim devices.

Chained together, these vulnerabilities allow unauthorized root access within the local network and remote code execution is possible when the device is probed from the local network.

Impact Analysis

Bitdefender’s blog post reveals examining three major devices using ThroughTek’s Kalay solution to communicate with clients over the internet through its TUTK SDK- Owlet Cam v1, Wyze Cam v3, and Roku Indoor Camera SE and confirmed they were impacted by most of the vulnerabilities.

On these devices, the vulnerabilities would allow local attackers to leak the AuthKey secret, a secret string the platform’s smartphone app uses to connect to the device and refuse requests without the correct key.

Moreover, attackers could infer the pre-shared key for a DTLS session, and enable an authenticated user to run system commands as the root user, leading to device compromise.

Moreover, researchers successfully daisy-chained CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324 to run OS commands as a root user, which could let attackers snoop, deliver malware, and enable lateral movement. For your information, daisy-chaining vulnerabilities mean exploiting multiple system weaknesses simultaneously to achieve a larger goal.

Current Status

Bitdefender sent a vulnerability report to ThroughTek on October 19, 2023. The vendor confirmed the issues and fixed all affected SDK versions by 16 April 2024, after which a coordinated vulnerability disclosure was released on May 15, 2024. Updated versions of Firmware and SDKs are available. Impacted device users must patch now to prevent exploitation.

  1. 91,000 Smart LG TV Devices Vulnerable to Remote Takeover
  2. Vietnamese Group Hacks and Sells Bedroom Camera Footage
  3. Smart Helmets Flaw Exposed Millions to Risk of Hacking, Surveillance
  4. Wyze Cameras Glitch: 13,000 Users Saw Footage from Others’ Homes
  5. Whitehat hacker shows how to detect hidden cameras in Airbnb, hotels





Source link