close
close

Notes on ThroughTek Kalay vulnerabilities and their impact on the IoT ecosystem

Posted on by darion

Since 2014, Bitdefender IoT researchers have been examining the world’s most popular IoT devices, looking for vulnerabilities and undocumented attack paths. This report documents four vulnerabilities in devices powered by the ThroughTek Kalay platform. Due to the massive presence of the platform in IoT integration, these disadvantages have a significant impact on downstream suppliers.

In the connected Internet of Things (IoT) landscape, the reliability and security of devices, infrastructure and data are of paramount importance. Among the many frameworks that facilitate the operation of IoT devices, the main one is ThroughTek’s Kalay platform, powering over 100 million devices around the world. With a dominant presence in surveillance cameras and security devices, ThroughTek Kalay’s influence highlights its importance in protecting homes, businesses and integrators.

NOTE: The vulnerabilities reported in this document have been responsibly disclosed to affected vendors. Specific firmware information is available in each report below. We would like to thank the vendors involved for promptly confirming the vulnerability and quickly issuing a patch.

Timeline

  • October 19, 2023: Bitdefender contacts ThroghTek and sends a vulnerability report.

  • October 20, 2023: Seller confirms issues.

  • October 26, 2023: Vendor is requesting a 90+ day extension to implement and implement the patch.

  • March 15, 2024: Additional Extension Requested.

  • April 12, 2024: Coordinated vulnerability disclosure scheduled for May 15, 2024 to allow all interested parties to apply patches

  • April 16, 2024: The vendor confirms that all affected SDK versions have been patched.

  • May 15, 2024: This report becomes public.

Security vulnerabilities disclosed

  • CVE-2023-6321 allows an authenticated user to run system commands as root, leading to a full device compromise.

  • CVE-2023-6322 allows attackers to gain root access via a stack buffer overflow vulnerability in the IOCTL message handler, typically used to configure motion detection zones in cameras. This is a vulnerability in some devices that use motion detection.

  • For example, CVE-2023-6323 discloses a vulnerability where a local attacker could illegally obtain the AuthKey secret, effectively helping the attacker establish an initial connection to the victim’s device.

  • Finally, CVE-2023-6324 exploits a vulnerability by allowing attackers to infer the pre-shared key of a DTLS session, which is a key prerequisite for connecting to and talking to victim devices.

Combined together, these vulnerabilities facilitate unauthorized root access from the local network, as well as remote* code execution to completely destroy a victim’s device.

*Remote code execution is only possible after scanning the device from the local network.

Affected suppliers
While these vulnerabilities impact the TUTK platform and subsequently most implementations, our study was conducted on three major devices sold globally. Given that some vendors have had device-specific vulnerabilities, individual timelines are available in each report.

Owlet Cam v1 and v2
Owlet Cam uses ThroughTek Kalay to communicate with customers via the Internet. The three vulnerabilities (CVE-2023-6323, CVE-2023-6324, and CVE-2023-6321) can be combined to allow an attacker to gain root access from the local network and then execute commands on the device. In Owlet Cam, the command is executed via CVE-2023-6321 – a vulnerability in the IOCTL message 0x6008E, which is used to unpack archives containing OTA updates.

A technical overview of the vulnerabilities and how they can be chained to compromise Owlet Cam is available below:

Download the whitepaper

Wyze Cam v3
Bitdefender researchers have identified three vulnerabilities in Wyze Cam v3. They are tracked as CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324. Combined together, these vulnerabilities could allow an attacker to gain root access from the local network. In this case, command execution on the Wyze Cam v3 is via CVE-2023-6322, a stack buffer overflow vulnerability in the handler of the IOCTL 0x284C message used to set the motion detection zone.

A technical overview of the vulnerabilities and how they can be chained to compromise Wyze Cam v3 is available below:

Download the whitepaper

Roku SE Indoor Camera
The vulnerabilities in the Roku Indoor Camera SE are identical to those in the Wyze Cam v3 (and potentially other security cameras). Bitdefender researchers chained CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324 to obtain the necessary prerequisites to communicate with the camera and run operating system commands as root.

Below is a detailed technical overview of the vulnerabilities and how they can be daisy-chained to compromise the Roku Indoor Camera SE:

Download the whitepaper

Consequences and remedies:
The consequences of these vulnerabilities go far beyond the realm of theoretical exploits, as they directly impact the privacy and security of users using ThroughTek Kalay-powered devices. Our findings have been responsibly disclosed to both the platform provider and the tested integrators. Updated firmware and SDK versions have been made available for affected devices to prevent these issues from being exploited in real-world scenarios.