Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Critical bug impacting millions of IoT devices lets hackers spy on you

Critical bug impacting millions of IoT devices lets hackers spy on you

Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek’s Kalay IoT cloud platform.

The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app.

A remote attacker could leverage the bug to gain access to the live audio and video streams, or to take control of the vulnerable device.

Also Read: 4 Reasons Why You Need an Actively Scanning Antivirus Software

Hijacking device connections

Researchers at Mandiant’s Red Team discovered the vulnerability at the end of 2020 and worked with the U.S. Cybersecurity and Infrastructure Security Agency and ThroughTek to coordinate the disclosure and create mitigation options.

Tracked as CVE-2021-28372, the issue is a device impersonation vulnerability that received a severity score of 9.6 out of 10. It affects the Kalay protocol that is implemented as a software development kit (SDK) that is built into mobile and desktop applications.

Mandiant’s Jake Valletta, Erik Barzdukas, and Dillon Franke looked at ThroughTek’s Kalay protocol and found that registering a device on the Kalay network required only the device’s unique identifier (UID).

Following this lead, the researchers discovered that a Kalay client, such as a mobile app, usually receives the UID from a web API hosted by the vendor of the IoT device.

Device registration on ThroughTek's Kalay network

An attacker with the UID of a target system could register on the Kalay network a device they control and receive all client connection attempts.

This would allow them to obtain the login credentials that provide remote access to the victim device audio-video data.

Impersonating a device on ThroughTek's Kalay network

The researchers say that this type of access combined with vulnerabilities in device-implemented RPC (remote procedure call) interface can lead to complete device compromise.

“Mandiant observed that the binaries on IoT devices processing Kalay data typically ran as the privileged user root and lacked common binary protections such as Address Space Layout Randomization (“ASLR”), Platform Independent Execution (“PIE”), stack canaries, and NX bits” – Mandiant

During their research of this vulnerability, Mandiant researchers were able to develop a functional implementation of the Kalay protocol, which allowed them to discover devices, register them, connect to remote clients, authenticate, and process audio and video data.

They also created proof-of-concept (PoC) exploit code that allowed them to impersonate a device on the Kalay network. A video showing the feat is available below:

By the latest data from ThroughTek, its Kalay platform has more than 83 million active devices and manages over 1 billion connections every month.

Mitigation options for devs and owners

In a security advisory published on July 20 for another critical vulnerability in its SDK (CVE-2021-32934), and updated on August 13, ThroughTek provides guidance that customers can follow to mitigate the risks associated with CVE-2021-28372:

  • If using ThroughTek SDK v3.1.10 and above, please enable AuthKey and DTLS (Datagram Transport Layer Security) to protect data in transit;
  • If using ThroughTek SDK the older versions before v3.1.10, please upgrade library to v3.3.1.0 or v3.4.2.0 and enable AuthKey and DTLS.

Mandiant also recommends reviewing security controls defined on APIs or other services that can return Kalay UIDs.

The researchers note that an attacker exploiting the device impersonation vulnerability would need to be knowledgeable of the Kalay protocol and how messages are being generated and delivered.

Obtaining the UIDs is also a task that requires some effort from the attacker (social engineering, exploiting other vulnerabilities).

What owners of affected devices can do to mitigate the risk is keep their device software and applications updated to the latest version and define complex, unique login passwords.

Furthermore, they should avoid connecting to IoT devices from an untrusted network (e.g. public WiFi).

Because the Kalay platform is used by devices from a large number of manufacturers, it is difficult to create a list with the affected brands.

Update [17:45 EST]: CISA also released a security advisory for CVE-2021-28372, providing technical details and mitigation recommendations.

Also Read: What is Social Engineering and How Does it Work?



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us