Cybercriminals could be listening and watching live audio and video feeds from smart devices and baby monitors due to a vulnerability that has been exposed by US cybersecurity experts Mandiant and the US Cybersecurity and Infrastructure Security Agency (CISA).
Tech HQ reports that a critical vulnerability that affects more than 83 million smart devices, including smart cameras and baby monitors, could allow hackers to listen to and watch live audio and video feeds.
The vulnerability poses a massive risk to people’s security and privacy, according to Mandiant, which is coordinating its disclosure with CISA.
While default passwords have prompted UK security services to warn consumers about criminal activity, the flaw discovered by Mandiant also affects devices that do not use default passwords.
According to Mandiant, the problem is in an IoT (Internet of Things) software protocol called Kalay, developed by Taiwanese company ThroughTek, which offers a platform to control smart devices from.
Before the coordinated disclosure of the vulnerability, ThroughTek had issued a warning to users, urging them to update their software to prevent hackers from gaining access to sensitive information in transmission and on victim devices.
A similar vulnerability was discovered in the Kalay protocol by Nozomi Networks earlier this year, although Mandiant says its discovery is more severe, allowing attackers to remotely control affected devices as well as snoop on them.
The Kalay protocol is installed by both original equipment manufacturers (OEMs) and resellers before smart devices reach consumers, Mandiant said, meaning it couldn’t determine a complete list of products affected.
However, the cybersecurity firm noted that ThroughTek’s website ‘reports more than 83 million active devices on the Kalay platform at the time of writing’.
In 2014, the UK’s data watchdog warned Britons that private webcam feeds were being streamed on a Russian website, using default logins and passwords to access the devices, which has led to the government planning to introduce a new law that will force OEMs and resellers of smart devices to meet minimum security requirements in the UK.
The Product Security and Telecommunications Infrastructure Bill was announced during the Queen’s Speech earlier this year, although this is not yet law.
When announcing the law earlier in 2021, digital infrastructure minister Matt Warman said: “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.”
He said that the reforms will mitigate the efforts of online criminals, as well as helping boost the UK’s plans to build back better and safer post-pandemic.
A spokesperson for the UK’s National Cyber Security Centre (NCSC) said the organisation is aware of the vulnerability, and ThroughTek has released an update to fix the issue.
“Simply using the platform does not automatically make you vulnerable to real-world impact, as additional information that is hard to guess is needed to exploit the vulnerability in an individual device successfully,” the spokesperson said.
“To maximise protection, the NCSC recommends individuals keep their software up to date by installing the latest vendor updates as soon as practicable.”
If you’re looking for IT experts in Doncaster, talk to us today.