A new cybersecurity alert warns that baby monitors and video doorbells people use to keep their families safe can actually watch their every move and make them susceptible to criminals.
A research team said Tuesday that they discovered a flaw that potentially gives hackers access to live video data and audio from millions of internet-connected found throughout American’s homes.
The vulnerability affects more than 83 million devices that use ThroughTek’s Kalay network, according to the cybersecurity firm FireEye’s Mandiant division. ThroughTek is a technology company started in Taiwan that services “internet-of-things” (IoT) devices and develops software.
Products using Kalay are at risk, which include such household staples as security cameras used in baby monitors, video doorbells, home appliances, smart locks, smart robots, personal cloud storage devices and many other devices, according to ThroughTek.
The company’s website said its home video surveillance products also support Amazon Alexa and Google Home Assistant.
“This vulnerability … would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality,” Mandiant said in a statement. “These further attacks could include actions that would allow an adversary to remotely control affected devices.”
Mandiant said it coordinated with the federal Cybersecurity and Infrastructure Security Agency (CISA), which published a security advisory about the flaw in the KalayPlatform on Tuesday.
CISA’s Eric Goldstein said in a statement that the vulnerability could not only give remote access to watch and listen to live video streams but also compromise device credentials for more attacks. Mr. Goldstein urged users, vendors, and product manufacturers to visit CISA’s website for detailed recommendations about how to mitigate the problem.
In June, CISA published an advisory warning of a vulnerability in ThroughTek software that could expose sensitive information to hackers.
The latest discovered software vulnerability differs from the previous discovery in that Mandiant said the flaw it unearthed allows cyberattackers to communicate with devices remotely.
Precisely which devices are affected remains unclear. Mandiant said it could not develop a comprehensive list of vulnerable devices, but ThroughTek’s website states that more than 83 million devices use Kalay and 1.1 billion connections are made on the platform per month.
To exploit the problem, Mandiant said a hacker would need comprehensive knowledge of the Kalay protocol and obtain Kalay unique identifiers registered to individual devices that hackers could access through manipulating someone or by finding other flaws in the products.
ThroughTek spokesperson Yi-Ching Chen said the company notified customers about the flaw and how to address it. The spokesperson said in an email that the company takes cybersecurity seriously and thought the vulnerability would only happen when someone’s Wi-Fi was compromised.
“[W]e have a dedicated software test team to assure our software is built with great quality and security and perform penetration tests periodically,” the spokesperson said. “Furthermore, we collaborate with our customers to have security assessments performed by 3rd party pen-testers.”
Consumers’ worries about how their devices can be used to snoop on them are not new.
Former National Security Agency contractor Edward Snowden, who in 2013 revealed NSA’s vast global surveillance programs, worried about owning a blender to make milkshakes after fleeing to Moscow. He feared the device’s electronic signature could provide clues about his whereabouts to the U.S. government and others, according to author Barton Gellman’s 2020 book “Dark Mirror.”
People with knowledge of government secrets are not the only ones who fall victim to unwanted surveillance. Earlier this year, an ADT home security technician was sentenced to more than four years in prison for hacking into customers’ video feeds. The technician accessed approximately 200 accounts without users’ consent more than 9,600 times, according to the Justice Department.
Mandiant said it worked with both ThroughTek and CISA to disclose the vulnerability it made public on Tuesday.
The cybersecurity company’s stated partnering with the federal government looks to be a harbinger for how future problems are made public, as FireEye Mandiant is participating in the Joint Cyber Defense Collaborative established by CISA to link the law enforcement and national security communities with private tech companies to combat hackers.
Mandiant listed the researchers responsible for discovering the vulnerability in ThroughTek’s product as Erik Barzdukas, Dillon Franke, and Jake Valletta.