IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

83 million IoT devices at risk of hacking

The vulnerability could enable threat actors to listen in on private conversations and watch live video streams

A concept visualising IoT security

At least 83 million Internet of Things (IoT) devices around the world could be at risk of hacking, potentially enabling threat actors to listen in on private conversations and watch live video streams from baby monitors and smart cameras.

That's according to new findings from Mandiant, a cyber security company and subsidiary of FireEye.

Mandiant security researchers Jake Valletta, Erik Barzdukas, and Dillon Franke discovered a vulnerability that affects IoT devices that use the Kalay network platform manufactured by Taiwanese IoT and M2M (machine-to-machine) solutions provider ThroughTek.

Tracked as CVE-2021-28372, the vulnerability affects a core component of the Kalay platform, allowing hackers to “listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality”, according to the researchers.

Although Mandiant was not able to pinpoint the affected devices, its researchers noted that ThroughTek has at least 83 million active devices as well as an estimated 1.1 billion monthly connections on its Kalay platform, with all of them potentially being exposed to hackers.

Mandiant disclosed the vulnerability to the US’ Cybersecurity and Infrastructure Security Agency (CISA), which has published an advisory report on the issue that recommends that users disconnect their ThroughTek devices from the internet, isolate them from the business networks, and to only connect to devices through virtual private networks (VPN).

A spokesperson for the UK’s National Cyber Security Centre (NCSC) told IT Pro that it is “aware of this vulnerability”, adding that ThroughTek “has released an update to fix the issue”.

Related Resource

X-Force Threat Intelligence Index

Top security threats and recommendations for resilience

Transparent cube against a black background - whitepaper from IBMFree download

“Simply using the platform does not automatically make you vulnerable to real-world impact, as additional information that is hard to guess is needed to exploit the vulnerability in an individual device successfully. To maximise protection, the NCSC recommends individuals keep their software up to date by installing the latest vendor updates as soon as practicable,” said the NCSC spokesperson.

The discovery of CVE-2021-28372 by Mandiant comes two months after Nozomi Networks researchers discovered a similar flaw affecting ThroughTek’s P2P SDK, which is used to provide remote access to audio or video streams over the internet.

The UK government is working on a new law that will force IoT device manufacturers to meet minimum security requirements and banning them from setting easy-to-hack passwords such as ‘admin’ or ‘password’. In April, it was announced that the legislation would also include smartphones.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Mastering endpoint security implementation
Security

Mastering endpoint security implementation

18 May 2022
The Total Economic Impact™ of Apple Mac in Enterprise: M1 update
Whitepaper

The Total Economic Impact™ of Apple Mac in Enterprise: M1 update

12 May 2022
Dell Technologies World 2022: Dell unveils fastest storage architecture in company history
Server & storage

Dell Technologies World 2022: Dell unveils fastest storage architecture in company history

4 May 2022
Dell Technologies World 2022: Dell unveils security offerings for major cloud providers
public cloud

Dell Technologies World 2022: Dell unveils security offerings for major cloud providers

3 May 2022

Most Popular

Europe's first autonomous petrol station opens in Lisbon
automation

Europe's first autonomous petrol station opens in Lisbon

23 May 2022
Nvidia pauses hiring to help cope with inflation
Careers & training

Nvidia pauses hiring to help cope with inflation

23 May 2022
Open source packages with millions of installs hacked to harvest AWS credentials
hacking

Open source packages with millions of installs hacked to harvest AWS credentials

24 May 2022