Security researchers have found yet another critical IoT supply chain vulnerability affecting millions of devices, which could enable attackers to eavesdrop on real-time camera feeds.
Mandiant revealed the CVE-2021-28372 bug yesterday after reporting it to the Cybersecurity and Infrastructure Security Agency (CISA).
It affects devices using the “Kalay” platform from Taiwanese firm ThroughTek, which makes software for OEMs to use in IP cameras, baby and pet monitoring cameras, digital video recorders (DVRs) and more.
Although Mandiant wasn’t able to ascertain exactly how many devices are affected, the firm warned that, according to ThroughTek, more than 83 million are currently using Kalay.
The news comes just a couple of months after Nozomi Networks discovered a critical bug in the ThroughTek P2P SDK. However, unlike that flaw, this one allows threat actors to communicate with devices remotely, opening the door to remote code execution attacks, Mandiant claimed.
That said, exploitation is far from easy.
“An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain…
