7.6
CVSSv2

CVE-2021-28372

Published: 17/08/2021 Updated: 18/08/2021
CVSS v2 Base Score: 7.6 | Impact Score: 10 | Exploitability Score: 4.9
CVSS v3 Base Score: 8.3 | Impact Score: 6 | Exploitability Score: 1.6
Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Summary

ThroughTek's Kalay Platform 2.0 network allows an malicious user to impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID). This could result in an attacker hijacking a victim's connection and forcing them into supplying credentials needed to access the victim TUTK device.

Most Upvoted Vulmon Research Post

ThroughTek "Kalay" Network Device Impersonation Vulnerability Proof of Concept. The vulnerability affects millions of IoT devices.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

throughtek kalay p2p software development kit

Recent Articles

Bug in Millions of Flawed IoT Devices Lets Attackers Eavesdrop
Threatpost • Lisa Vaas • 17 Aug 2021

Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things (IoT) devices – one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors.
The flaw, tracked as CVE-2021-28372 and FEYE-2021-0020 and assigned a critical CVSS3.1 base score of 9.6, was found in devices connected via ThroughTek’s Kalay IoT cloud ...

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Fireeye Threat Research • by Jake Valletta, Erik Barzdukas, Dillon Franke • 17 Aug 2021

Today, Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for furthe...

Critical bug impacting millions of IoT devices lets hackers spy on you
BleepingComputer • Ionut Ilascu • 01 Jan 1970

Security researchers are sounding the alarm on a critical vulnerability affecting tens of millions of devices worldwide connected via ThroughTek’s Kalay IoT cloud platform.
The security issue impacts products from various manufacturers providing video and surveillance solutions as well as home automation IoT systems that use the Kalay network for easy connectin and communication with a corresponding app.
A remote attacker could leverage the bug to gain access to the live audio and ...