Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million IoT-enabled devices. These vulnerabilities, tracked as CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, and CVE-2023-6324, allow for remote code execution and unauthorized root access from within the local network. The affected devices include popular security cameras such as the Roku Indoor Camera SE, Wyze Cam v3, and Owlet Cam v1 and v2.
CVE-2023-6321, an OS command injection vulnerability in Owlet Cameras, enables complete device compromise by allowing an authorized user to execute system commands as the root user. CVE-2023-6322, a stack-based buffer overflow vulnerability, allows attackers to gain root access through an IOCTL message handler used in motion detection zones. This vulnerability is unique to gadgets with motion detection capabilities.
CVE-2023-6323 involves insufficient verification in the ThroughTek Kalay SDK, enabling local attackers to obtain the AuthKey secret without authorization, facilitating an initial connection to the victim’s device. CVE-2023-6324 exploits an error in handling the PSK identity in the ThroughTek Kalay SDK, allowing attackers to infer the pre-shared key for a DTLS session, essential for establishing a connection and communicating with target devices.
The combined effect of these vulnerabilities can fully compromise affected devices, highlighting the critical need for enhanced security measures in IoT devices. BitDefender researchers emphasized the importance of protecting homes, companies, and integrators due to the widespread presence of ThroughTek Kalay in security cameras and other devices. This situation underscores the necessity for robust cybersecurity practices to safeguard IoT ecosystems.
