Top IoT platform vulnerabilities put 100+ million devices at risk — security cameras and baby monitors under threat

News
By published

Security cameras and baby monitors under threat by new supply chain vulnerabilities

Installer in uniform puts security camera on wall fastening and connects it to system with cable. Man installs cameras in house. Concept of CCTV cameras, monitoring, safety and privacy.
(Image credit: Shutterstock / Frame Stock Footage)

Several vulnerabilities have been identified by Bitdefender in the ThroughTek Kalay Platform, upon which huge numbers of devices rely upon for IoT integration.

The flaws have severe ramifications for vendors further down the supply chain, with a number of prominent security cameras for businesses and domestic use suffering from a chain of vulnerabilities that provide root access from the local networks, and in some cases fully compromise the device.

The impacted cameras have been identified as the Owlet Cam v1 and v2, Roku Indoor Camera SE, and Wyze Cam v3.

Vulnerabilities through the lens

Supply chain attacks are becoming an increasingly lucrative target for threat actors, and not just for IoT devices. By finding vulnerabilities in software at the top of the supply chain, it is possible to exploit a range of software, services and devices further down the chain.

In this case, the software at the top is the ThroughTek Kalay platform which powers over 100 million devices around the globe, many of which are security oriented devices such as surveillance cameras.

The vulnerabilities identified by Bitdefender for this platform are tracked as CVE-2023-6321, which allows an authenticated user to run system commands as the root user leading to full compromise of the device, and CVE-2023-6322, which enables attackers to gain root access through a stack-based buffer overflow vulnerability in the handler of an IOCTL message, typically employed in configuring motion detection zones in cameras.

Further vulnerabilities, tracked as CVE-2023-6323 and CVE-2023-6324, can be combined with the aforementioned in a number of stacked combinations to allow attackers to gain access to the devices. The first allows a local attacker to leak the AuthKey secret by impersonating the P2P cloud server used by the device, with the second vulnerability allowing a local attacker to infer the pre-shared key for a DTLS session by forcing an empty buffer.

These vulnerabilities were first spotted by Bitdefender on October 19 2023, and have since been patched by their individual vendors. Bitdefender urges owners of the affected devices to ensure that all device updates are installed as and when they become available to mitigate existing and future vulnerabilities.

More from TechRadar Pro

TOPICS
Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

Read more
botnet
Another top security camera maker is seeing devices hijacked into botnet
Data leak
This top security camera streaming app may have been putting thousands of users at risk
MediaTek
MediaTek reveals host of security vulnerabilities, so patch now
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Hardware supply chain threats can undermine your endpoint infrastructure
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
ransomware avast
Hackers spotted using unsecured webcam to launch cyberattack
Latest in Pro
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Nvidia Isaac GROOT N1
“The age of generalist robotics is here" - Nvidia's latest GROOT AI model just took us another step closer to fully humanoid robots
Nvidia Earth-2 weather models
Nvidia has updated its virtual recreation of the entire planet - and it could mean better weather forecasts for everyone
Nvidia DGX Station
Nvidia’s DGX Station brings 800Gbps LAN, the most powerful chip ever launched in a desktop workstation PC
Artificial intelligence India
Zoom launches AI Companion 2.0 with a major agent focus
Google Cloud logo
Google to acquire cloud security platform Wiz in $32 billion deal
Latest in News
Perplexity Squid Game Ad
New ad declares Squid Game's real winner is Perplexity AI
Pedro Pascal in Apple's Someday ad promoting the AirPods 4 with Active Noise Cancellation.
Pedro Pascal cures his heartbreak thanks to AirPods 4 (and the power of dance) in this new ad
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Helly and Mark standing on an artificial hill surrounded by goats in Severance season 2 episode 3
New Apple teaser for Severance season 2 finale suggests we might finally find out what Lumon is doing with those goats, and I don't think it's anything good
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way
More about pro
Nvidia Earth-2 weather models

Nvidia has updated its virtual recreation of the entire planet - and it could mean better weather forecasts for everyone
Robotic hand clicking on captcha 'I am not a robot'.

Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Nvidia GR00T N1 humanoid robot

Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
See more latest
Most Popular
Nvidia GR00T N1 humanoid robot
Nvidia is dreaming of trillion-dollar datacentres with millions of GPUs and I can't wait to live in the Omniverse
Pedro Pascal in Apple's Someday ad promoting the AirPods 4 with Active Noise Cancellation.
Pedro Pascal cures his heartbreak thanks to AirPods 4 (and the power of dance) in this new ad
Nvidia Earth-2 weather models
Nvidia has updated its virtual recreation of the entire planet - and it could mean better weather forecasts for everyone
Sennheiser HD 550 headphones profile shot
Sennheiser announces new HD 550 headphones with high-quality audio for gamers and audiophiles
Perplexity Squid Game Ad
New ad declares Squid Game's real winner is Perplexity AI
Frank Grimes confronts Homer Simpson in The Simpsons' Homer's Enemy episode
Disney+ adds a new continuous Simpsons stream, so you no longer have to spend ages choosing an episode
Foldable iPhone
Apple’s first foldable iPhone could beat the Samsung Galaxy Z Fold 7 in one key way
Robotic hand clicking on captcha 'I am not a robot'.
Fake CAPTCHAs are being used to spread malware - and we only have ourselves to blame
Nvidia DGX Station
Nvidia’s DGX Station brings 800Gbps LAN, the most powerful chip ever launched in a desktop workstation PC
NVIDIA RTX PRO 6000 Blackwell Server Edition
Nvidia launches its fastest GPU ever: Nvidia RTX Pro 6000 Blackwell Workstation Edition is an enhanced version of the RTX 5090 with more of everything