Millions of IoT Devices Vulnerable After Researchers Uncover Flaws in ThroughTek Kalay Platform

Recently, Bitdefender IoT researchers revealed four critical vulnerabilities in ThroughTek’s Kalay platform, a cornerstone of the IoT ecosystem. This platform powers over 100 million devices worldwide, including popular smart home devices like surveillance cameras and baby monitors.

The report outlines four distinct vulnerabilities, each with the potential to severely compromise device security:

• CVE-2023-6321: This flaw allows an authenticated user to execute system commands as the root user, leading to complete device takeover.
• CVE-2023-6322: A stack-based buffer overflow vulnerability in the handler of an IOCTL message used for configuring motion detection zones. This allows attackers to gain root access.
• CVE-2023-6323: Enables local attackers to illicitly obtain the AuthKey secret, facilitating an initial connection to the target device.
• CVE-2023-6324: Allows attackers to deduce the pre-shared key for a DTLS session, essential for communicating with victim devices.

When these vulnerabilities are chained together, they enable unauthorized root access from within the local network and remote code execution, posing a significant threat to device security.

Impacted Devices

While these vulnerabilities affect the ThroughTek Kalay platform, the research focused on three major devices sold worldwide:

1. Owlet Cam v1 and v2:
   • Vulnerabilities: CVE-2023-6321, CVE-2023-6323, CVE-2023-6324
   • Impact: Allows root access and command execution via a vulnerability in IOCTL message 0x6008E, used for unpacking OTA updates.
2. Wyze Cam v3:
   • Vulnerabilities: CVE-2023-6322, CVE-2023-6323, CVE-2023-6324
   • Impact: Allows root access and command execution via a stack-based buffer overflow in IOCTL message 0x284C, used for setting motion detection zones.
3. Roku Indoor Camera SE:
   • Vulnerabilities: Identical to those in Wyze Cam v3 (CVE-2023-6322, CVE-2023-6323, CVE-2023-6324)
   • Impact: Enables attackers to communicate with the camera and execute OS commands as the root user.

Implications and Remediation

The disclosed vulnerabilities pose significant risks to the privacy and safety of users, as they allow attackers to gain unauthorized access and control over devices. The ramifications extend beyond theoretical exploits, emphasizing the urgent need for remediation.

Bitdefender has responsibly disclosed these vulnerabilities to ThroughTek and the affected device manufacturers. In response, updated firmware and SDKs have been released to mitigate these security issues and protect users from potential exploitation.