Millions of IoT devices, which include cameras, smart baby monitors, and Digital Video Recorder (DVR) products, may be impacted by a vulnerability that uses the ThroughTek “Kalay” network. ThroughTek claims to have more than 1.1 billion connections per month and 83 million active devices. The vulnerability, discovered by researchers, poses a very high risk to the privacy and security of users. 

Thanks to the vulnerability, IoT devices can be compromised with the result of attackers being able to watch real-time videos and listen to live audio, in addition to compromising device credentials to carry out additional attacks which may lead to remote control of the device itself. A CVSS3.1 base score of 9.6 has been assigned to the vulnerability, which is tracked as CVE-2021-28372 and FEYE-2021-0020.

For more detailed information, see Fireeye’s Threat Research Blog, Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices.