Flaws in SDK Used in 100 Million IoTs Impact Wyze, Roku Devices

Bitdefender has released a new report detailing significant security flaws in the ThroughTek Kalay SDK platform, a backbone for over 100 million IoT devices globally, used by Wyze and Roku cameras too.

These vulnerabilities, identified in key surveillance and security systems, pose a profound threat to user privacy and safety.

Overview of the flaws

The investigation led by Bitdefender's IoT research team uncovered four major vulnerabilities (CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, CVE-2023-6324) that affect numerous devices utilizing the ThroughTek Kalay platform.

This platform is integral to the functionality of devices such as surveillance cameras and security monitors, marking these vulnerabilities as especially critical given their potential to compromise personal and corporate security.

Here's a breakdown of the flaws the Bitdefender team discovered:

• CVE-2023-6321: Allows authenticated users to execute system commands as the root user, leading to full device compromise.
• CVE-2023-6322: Enables root access via a stack-based buffer overflow, typically triggered in motion detection settings.
• CVE-2023-6323: Allows attackers to steal the AuthKey secret used in initial device connections.
• CVE-2023-6324: Permits attackers to deduce pre-shared keys for DTLS sessions, crucial for secure communication with devices.

Together, these vulnerabilities enable attackers to gain unauthorized root access and perform remote code execution, though the latter requires initial local network access to the device.

Discovery and disclosure timeline:

• October 19, 2023 – Bitdefender notifies ThroughTek of the vulnerabilities.
• October 20, 2023 – ThroughTek confirms the issues.
• October 26, 2023 – ThroughTek requests a 90-day extension for fixes.
• March 15, 2024 – Additional extension requested.
• April 12, 2024 – A coordinated vulnerability disclosure date is set.
• April 16, 2024 – ThroughTek confirms patches have been applied to all affected SDK versions.
• May 15, 2024 – Public disclosure of the report.

Widespread impact

The ThroughTek Kalay platform is used by several IoT devices, including the Roku Indoor Camera SE and Wyze Cam v3, among others, so the impact is broad. Bitdefender says it could impact up to 100 million IoT devices.

Impacted models include, but are not limited to Wyze Cam v3, Roku Indoor Camera SE, and Owlet Cam v1 and v2. For the specific impact on each, and what remediation measures are available, Bitdefender has published separate whitepapers for the three vendors, available here (Roku, Wyze, Owlet).

The discovery of these vulnerabilities underscores the critical need for rigorous security protocols in IoT devices, especially those involved in security and surveillance. The prompt response from ThroughTek and the affected vendors in patching these issues has mitigated immediate risks, but the incident highlights the ongoing challenges in securing IoT ecosystems.

For users of the affected devices, it is strongly recommended to update their firmware to the latest versions provided by the manufacturers. Regular updates and using strong admin account passwords on IoT devices are essential practices to safeguard against potential exploits. Additionally, IoTs should be isolated from critical networks and even taken offline when not actively needed.