ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (called a UID). This could result in an attacker hijacking a victim's connection and forcing them into supplying credentials needed to access the victim TUTK device.
Very High - An attacker could remotely compromise victim Kalay-enabled devices with root level privileges.
High - To exploit this vulnerability an attacker would first require a victim TUTK UID. An attacker could then maliciously register this TUTK UID on the Kalay network and impersonate the victim device.
Finally, the attacker would wait until a victim client attempted to connect to the maliciously registered TUTK UID. When this occurred, the attacker could steal the associated username and password needed to access the victim device. The attacker could then remotely access the victim device.
CVE-2021-28372
Mandiant determined that the device registration process requires only the device’s UID to access the network.
If an attacker obtains a UID of a victim Kalay device, they can maliciously register a device with the same UID on the network and cause the Kalay servers to overwrite the existing Kalay device. Once an attacker has maliciously registered a UID, any client connection attempts to access the victim UID will be directed to the attacker. The attacker can then continue the connection process and obtain the authentication materials (a username and password) needed to access the device.
ThroughTek and Mandiant recommend that original equipment manufacturers implement the following mitigations:
- If SDK is Version 3.1.10 and above, enable authkey and DTLS.
- If SDK is any version prior to 3.1.10, upgrade library to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS.
- Jake Valletta, Mandiant
- Erik Barzdukas, Mandiant
- Dillon Franke, Mandiant
- 2 May 2021 - Issue reported to vendor
- 7 June 2021 - Issue confirmed by ThroughTek
- 29 June 2020 - Mandiant engages CISA for joint disclosure
- 13 August 2021 - ThroughTek releases mitigation steps
- 17 August 2021 - Mandiant & CISA advisory published