Here’s how hackers exploit IoT device vulnerabilities to invade hardware

A vulnerability in IoT cameras allows cybercriminals to gain access to the network and watch live video feeds, create botnets, or worse.
19 August 2021

The idea of a smart surveillance network being controlled by rogue operators is frightening. (Photo by Tolga Akmen / AFP)

Any IoT device can be hacked today, once its vulnerabilities have been identified. Case in point: increasingly prevalent in the workplace today are IoT-enabled smart surveillance cameras, crucial for organizations in having visibility over what happens on their premises.

Be it CCTVs or IP cameras, these devices are now able to support more features. Smart IP cams and CCTVs can be used for facial and thermal recognition and even have motion sensors that can detect movement within an area.

Faced with mounting demand, the smart camera market is projected to reach US$9.17 billion by 2026, especially with more adoption of automated systems in homes and industries. Smart home surveillance cameras are now becoming an integral part of smart cities as well, not just for security but also in providing crucial data on smart homes.

While smart cameras are meant to secure environments, like a lot of IoT smart devices they are also vulnerable to hacks. Most of these devices are built with sensors and primarily focused on delivering data only. Most of them are not built with any cybersecurity protection, as the devices rely on the network to be secured. A secured network ensures the smart cameras are not vulnerable to cyberattacks.

But recently, cybersecurity firm Mandiant and ThroughTek, an IoT solution for cloud surveillance, along with the Cybersecurity Infrastructure and Security Agency (CISA)  disclosed a vulnerability discovered in millions of IoT camera devices. The exploit allows cybercriminals to gain access to smart cameras and watch live video feeds, create botnets, or use these devices as an entry point for further attacks.

The vulnerabilities were found in IoT devices on the ThroughTek Kalay network. The Kalay network sees the integration of video surveillance equipment, smart consumer products as well as sensors. The network allows the entire smart device ecosystem comprising manufacturers, telco providers, system integrators, hardware manufacturers, and other service providers to offer safer smart solutions.

Any IoT device can be hacked today, once its vulnerabilities have been identified

The idea of a smart surveillance network being controlled by rogue operators is frightening. (Photo by Tolga Akmen / AFP)

Not an easy hack

With up to 83 million devices and over 1.1 billion monthly connections, ThroughTek’s clients include IoT camera manufacturers, smart baby monitors, and digital video recorders.

According to a threat research blog by Mandiant, a cybercriminal would require comprehensive knowledge of the Kalay protocol as well as the ability to generate and send messages. They would also need to obtain Kalay unique identifiers (UIDs) through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, cybercriminals would be able to remotely compromise affected devices that correspond to the obtained UIDs.

Speaking to TechHQ, Mark Bowling, the VP of Security Response Services at ExtraHop, explained how IoT is creating a new and broader attack surface,  exposing end users and enterprises to new risks in both the remote work era and environments where security cameras are pervasive.

“What’s deeply concerning here is that a remote hacker can exploit the vulnerabilities in the ThroughTek Kalay IoT cloud platform to gain access to the live audio and video streams used by consumers, and potentially corporate-grade security and surveillance systems,” said Bowling. “In the proof of concept, an attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts. This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data.”

Bowling believes that the exploit should be taken as a wake-up call for any industry that leverages IoT devices, particularly security cameras. OEM and manufacturer-to manufacturer (M2M) IoT component producers should have a plan for device discovery, patching, and containment, specifically for devices used in compliance-focused industries such as healthcare.

“This raises questions about the use of Kalay in multiple environments. Specifically, can you imagine the impact had this been a prolific medical IoT device that is storing patient data in the ThroughTek cloud? Or perhaps a security camera and surveillance system that is deployed by a healthcare system where privacy of patients could be compromised?”

Both Mandiant and ThroughTek have strongly recommended businesses using the Kalay protocol to upgrade to the latest version. Mandiant also recommended ensuring that IoT device manufacturers apply stringent controls around web APIs used to obtain Kalay UIDs, usernames, and passwords to minimize a cybercriminal’s ability to harvest sensitive materials needed to access devices remotely.