A critical vulnerability affecting more than 83 million smart devices, including smart cameras and baby monitors, could allow hackers to listen to and watch live audio and video feeds, it has emerged.The flaw “poses a huge risk” to people’s security and privacy said security company Mandiant, which is coordinating its disclosure with the US Cybersecurity and Infrastructure Security Agency (CISA).
While default passwords have prompted UK security services to warn consumers about criminal activity, the flaw discovered by Mandiant also affects devices which do not use default passwords.According to Mandiant, the problem is in an IoT (Internet of Things) software protocol called Kalay, developed by Taiwanese company ThroughTek, which offers a platform to control smart devices from.Before the coordinated disclosure was made, ThroughTek warned users to update their software to stop hackers accessing “sensitive information in transmission and on victim devices”.
A similar vulnerability was discovered in the Kalay protocol by Nozomi Networks earlier this year, although Mandiant says its discovery is more severe, allowing attackers to remotely control affected devices as well as snoop on them.
Because the Kalay protocol is installed by both original equipment manufacturers (OEMs) and resellers before smart devices reach consumers, Mandiant said it couldn’t determine a complete list of products affected.
However, the business – which is part of cyber security company FireEye – noted ThroughTek’s website “reports more than 83 million active devices on the Kalay platform at the time of writing”.Back in 2014, the UK’s data watchdog warned Britons that private webcam feeds were being streamed on a Russian website, using default logins and passwords to access the devices.The British government plans to introduce a new law which will force OEMs and resellers of smart devices to meet minimum security requirements in the UK.
What are the new rules for smart devices?
At the point of sale, consumers must be informed of how long their devices will receive security software updates for
Manufacturers will be banned from using weak universal default passwords, such as ‘password’ or ‘admin’
Manufacturers will be required to provide a public point of contact to make it simpler for anyone to report a vulnerability
The government announced the Product Security and Telecommunications Infrastructure Bill during the Queen’s Speech earlier this year, although this is not yet law.Announcing the law earlier this year, digital infrastructure minister Matt Warman said: “We are changing the law to ensure shoppers know how long products are supported with vital security updates before they buy and are making devices harder to break into by banning easily guessable default passwords.”The reforms, backed by tech associations around the world, will torpedo the efforts of online criminals and boost our mission to build back safer from the pandemic.”