Researchers at FireEye’s threat intelligence and incident response unit Mandiant have identified a critical vulnerability that exposes millions of IoT devices to remote attacks.

The flaw was found in a core component of the Kalay cloud platform for IoT devices offered by ThroughTek company that provides IoT and M2M solutions for surveillance, security, smart home, cloud storage, and consumer electronics systems.

The vulnerability is tracked as CVE-2021-28372 and it has been assigned a CVSS score of 9.6. Exploitation of the issue allows to access audio and video data, also to abuse RPC (remote procedure call) functionality, which is typically implemented for firmware updates, device control, and telemetry.

ThroughTek has released SDK updates that address the vulnerability. In addition, the company has advised customers to enable AuthKey (for an extra layer of authentication) and DTLS (to protect data in transit) to reduce the risk of attacks.

Source: securityweek.com