Many variants of smart devices have been identified as being at risk from hacking. Among devices of concern this includes security cameras, DVRs, and baby monitors. The vulnerability means that hackers may be able to access live video and audio streams over the Internet.
The vulnerability is not tied to a specific device manufacturer since the flaw relates to a software development kit used by many vendors and across 83 million smart devices. These devices are making over one billion connections to the Internet per month.
The software is ThroughTek Kalay, which provides a plug-and-play system for connecting smart devices with their corresponding mobile apps. The Kalay platform brokers the connection between a device and its app, handles authentication, and sends commands and data back and forth.
The affected ThroughTek P2P products may be vulnerable to improper access controls. This vulnerability can allow an attacker to access sensitive information (such as camera feeds) or perform remote code execution. Hence the weakness relating to Kalay functionality enables coordination between a security camera and an app that can remotely control the camera angle.
Looking at the incident for Digital Journal is security expert Robert Prigge, CEO of Jumio.
According to Prigge, this attack introduces special types of dangers and these will be of concern to parents. He finds: “While this vulnerability is harmful to anyone with a smart device linked to the Kalay platform, it’s particularly concerning that baby monitor feeds are involved.”
With the specific risk, Prigge notes: “Through a simple social engineering tactic like phishing, hackers can extract a device’s identifier and obtain its unique credentials. From there, criminals can take full remote control of the device to watch live video feeds, install malware or download footage and leverage it for malicious purposes.”
To prevent these types of attacks in the future, Prigge feels strongly that a new form of identification is needed. Here he recommends that; “While this vulnerability is a serious lapse in security, usernames and passwords in general can no longer be trusted as a secure form of authentication in today’s fraud environment.”
“Instead, IoT companies must leverage biometric authentication — using a person’s unique human traits to verify identity — to ensure smart devices and their connected online accounts can only be accessed by authorized users.”