Aug 18 2021

Kalay cloud platform flaw exposes millions of IoT devices to hack

Category: IoT SecurityDISC @ 11:36 am

FireEye Mandiant researchers have discovered a critical vulnerability in the Kalay cloud platform that exposes millions of IoT devices to attacks.

Researchers at FireEye’s Mandiant have discovered a critical vulnerability, tracked as CVE-2021-28372, in a core component of the Kalay cloud platform which is used by millions of IoT devices from many vendors.

The flaw could be easily exploited by a remote attacker to take over an IoT device, the only info needed for the attack is the Kalay unique identifier (UID) of the targeted user. The identifier could be obtained via social engineering.

“The vulnerabilities described in this post affect a core component of the Kalay platform. Mandiant was not able to create a comprehensive list of affected devices; however, ThroughTek’s website reports more than 83 million active devices on the Kalay platform at the time of writing this post.” states the report published by Mandiant. “An attacker would require comprehensive knowledge of the Kalay protocol and the ability to generate and send messages. The attacker would also need to obtain Kalay UIDs through social engineering or other vulnerabilities in APIs or services that return Kalay UIDs. From there, an attacker would be able to remotely compromise affected devices that correspond to the obtained UIDs.”

An attacker that has obtained the UID of a targeted device could send a specially crafted request to the Kalay network to register another device with the same UID on the network. Then the Kalay servers will overwrite the existing device. Once the victim will connect the device, his connection will be directed to the attacker that could obtain the credentials used by the victim to access the device.

Most of the devices using the platform are video surveillance products such as IP cameras and baby monitors, an attacker could exploit this flaw to eavesdrop audio and video data.

The attacker could also use RPC (remote procedure call) functionality to completely take over the device.

Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things

Tags: IoT, IoT devices, IoT Hacking, IoT security

Jun 19 2021

Preventing security issues from destroying the promise of IoT

Category: IoT SecurityDISC @ 12:50 pm

Tags: IoT Hacking, IoT security

May 25 2021

New Bluetooth Flaws Let Attackers Impersonate Legitimate Devices

Category: BluetoothDISC @ 8:49 am

Adversaries could exploit newly discovered security weaknesses in Bluetooth Core and Mesh Profile Specifications to masquerade as legitimate devices and carry out man-in-the-middle (MitM) attacks.

“Devices supporting the Bluetooth Core and Mesh Specifications are vulnerable to impersonation attacks and AuthValue disclosure that could allow an attacker to impersonate a legitimate device during pairing,” the Carnegie Mellon CERT Coordination Center said in an advisory published Monday.

The two Bluetooth specifications define the standard that allows for many-to-many communication over the short-range wireless technology to facilitate data transfer between devices in an ad-hoc network.

The Bluetooth Impersonation AttackS, aka BIAS, enable a malicious actor to establish a secure connection with a victim, without having to know and authenticate the long-term key shared between the victims, thus effectively bypassing Bluetooth’s authentication mechanism.

“The BIAS attacks are the first uncovering issues related to Bluetooth’s secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades,” the researchers said. “The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction.”

“To confirm that the BIAS attacks are practical, we successfully conduct them against 31 Bluetooth devices (28 unique Bluetooth chips) from major hardware and software vendors, implementing all the major Bluetooth versions, including Apple, Qualcomm, Intel, Cypress, Broadcom, Samsung, and CSR.”

In addition, four separate flaws have been uncovered in Bluetooth Mesh Profile Specification versions 1.0 and 1.0.1. A summary of the flaws is as follows –

  • CVE-2020-26555 – Impersonation in Bluetooth legacy BR/EDR pin-pairing protocol (Core Specification 1.0B through 5.2)
  • CVE-2020-26558 – Impersonation in the Passkey entry protocol during Bluetooth LE and BR/EDR secure pairing (Core Specification 2.1 through 5.2)
  • N/A – Authentication of the Bluetooth LE legacy pairing protocol (Core Specification 4.0 through 5.2)
  • CVE-2020-26556 – Malleable commitment in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26557 – Predictable AuthValue in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26559 – Bluetooth Mesh Profile AuthValue leak (Mesh profile 1.0 and 1.0.1)
  • CVE-2020-26560 – Impersonation attack in Bluetooth Mesh Profile provisioning (Mesh profile 1.0 and 1.0.1)

“Our attacks work even when the victims are using Bluetooth’s strongest security modes, e.g., SSP and Secure Connections. Our attacks target the standardized Bluetooth authentication procedure, and are therefore effective against any standard compliant Bluetooth device,” the researchers said.

The Android Open Source Project (AOSP), Cisco, Cradlepoint, Intel, Microchip Technology, and Red Hat are among the identified vendors with products impacted by these security flaws. AOSP, Cisco, and Microchip Technology said they are currently working to mitigate the issues.

The Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, has also issued security notices for each of the six flaws. Bluetooth users are recommended to install the latest recommended updates from device and operating system manufacturers as and when they are available.

Source: The Hacker News

Tags: IoT security