Since 2014, Bitdefender IoT researchers have been looking into the world's most popular IoT devices, hunting for vulnerabilities and undocumented attack avenues. This report documents four vulnerabilities affecting devices powered by the ThroughTek Kalay Platform. Due to the platform’s massive presence in IoT integrations, these flaws have a significant downstream impact on several vendors.
In the interconnected landscape of the Internet of Things (IoT), the reliability and security of devices, infrastructure and data are paramount. Among the many frameworks facilitating the operation of IoT devices, ThroughTek's Kalay platform stands as a linchpin, powering more than 100 million devices worldwide. With a predominant presence in surveillance cameras and security devices, ThroughTek Kalay's influence underscores its significance in safeguarding homes, businesses, and integrators alike.
NOTE: the vulnerabilities presented in this paper have been responsibly disclosed to the affected vendors. Specific firmware information is available in each report below. We would like to extend our thanks to the involved vendors for their prompt acknowledgement of vulnerability and rapid patch release.
When chained together, these vulnerabilities facilitate unauthorized root access from within the local network, as well as remote* code execution to completely subvert the victim device.
*Remote code execution is only possible after the device has been probed from the local network.
While these vulnerabilities affect the TUTK platform and subsequently impact most implementations, our research was conducted on three major devices sold worldwide. Given that some vendors had device-specific vulnerabilities, individual timelines are available in each report.
Owlet Cam uses the ThroughTek Kalay solution to communicate with clients over the Internet. The three vulnerabilities (CVE-2023-6323, CVE-2023-6324, and CVE-2023-6321) can be chained together to allow an attacker to obtain root access from the local network and then to execute commands on the device. On Owlet Cam, command execution is obtained via CVE-2023-6321 - a vulnerability in IOCTL message 0x6008E, which is used to unpack archives containing OTA updates.
A technical dive into the vulnerabilities and how they are daisy-chained to compromise the Owlet Cam is available below:
Bitdefender researchers have identified three vulnerabilities in Wyze Cam v3. They are tracked as CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324. Chained together, these vulnerabilities allow an attacker to obtain root access from the local network. In this case, command execution on the Wyze Cam v3 is obtained via CVE-2023-6322 - a stack-based buffer overflow vulnerability in the handler of IOCTL message 0x284C that is used to set the motion detection zone.
A technical dive into the vulnerabilities and how they are daisy-chained to compromise the Wyze Cam v3 is available below:
The vulnerabilities in the Roku Indoor Camera SE are identical to those in Wyze Cam v3 (and potentially other security cameras). Bitdefender researchers have daisy-chained CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324to obtain the necessary prerequisites for talking to the camera and for running OS commands as root user.
A technical dive into the vulnerabilities and how they are daisy-chained to compromise the Roku Indoor Camera SE is available below:
The ramifications of these vulnerabilities extend far beyond the realm of theoretical exploits, as they directly impact on the privacy and safety of users relying on devices powered by ThroughTek Kalay. Our findings have been responsibly disclosed both to the platform vendor, as well as to the tested integrators. Updated versions of firmware and SDKs have been made available for the impacted devices to prevent these issues from being exploited in real-life scenarios.