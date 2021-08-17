Cybersecurity researchers said Tuesday they discovered a flaw that exposes live video data and audio from millions of internet-connected devices to hackers.

The vulnerability affects more than 83 million devices that use ThroughTek’s Kalay network, according to the cybersecurity firm FireEye’s Mandiant division. ThroughTek is a technology company started in Taiwan that services “internet-of-things” (IoT) devices and develops software.

“This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality,” Mandiant said in a statement. “These further attacks could include actions that would allow an adversary to remotely control affected devices.”

Mandiant said it coordinated with the federal Cybersecurity and Infrastructure Security Agency (CISA), which did not immediately respond to requests for comment. In June, CISA published an advisory warning of a vulnerability in ThroughTek software that could expose sensitive information to hackers.

The latest discovered software vulnerability differs from the previous discovery in that Mandiant said the flaw it unearthed allows cyberattackers to communicate with devices remotely.

Precisely which devices are affected remains unclear. Mandiant said it could not develop a comprehensive list of vulnerable devices, but ThroughTek’s website states that more than 83 million devices use Kalay and 1.1 billion connections are made on the platform per month.

According to ThroughTek’s website, the Kalay platform’s supported products for its smart-home offerings include security cameras such as those used for baby monitors, video door phones, home appliances, smart locks, smart robots, personal cloud storage devices and many other devices. The company’s website said its home video surveillance products support Amazon Alexa and Google Home Assistant.

In order to exploit the problem, Mandiant said, a hacker would need comprehensive knowledge of the Kalay protocol and obtain Kalay unique identifiers registered to individual devices that hackers could access through manipulating someone or by finding other flaws in the products.

ThroughTek has not answered a request for comment. Mandiant said it worked with both ThroughTek and CISA to disclose the vulnerability.

The cybersecurity company’s stated partnering with the federal government looks to be a harbinger for how future problems are made public, as FireEye Mandiant is participating in the Joint Cyber Defense Collaborative established by CISA to link the law enforcement and national security communities with private tech companies to combat hackers.

Mandiant listed the researchers responsible for discovering the vulnerability in ThroughTek’s product as Erik Barzdukas, Dillon Franke and Jake Valletta.

Sign up for Daily Newsletters Manage Newsletters

Copyright © 2021 The Washington Times, LLC. Click here for reprint permission.