The Throughtek Kalay Vulnerability Is Absolutely Absurd; Here’s Why It Should Worry You
Visualize 83 million people (about the population of Canada, Oregon, and California combined) each with a baby monitor or security camera inside their homes. Now imagine each of those cameras quietly sending their video feeds to hackers. These hackers could then sell access to or recordings of these live feeds to any bad actor willing to pay for them — all without the camera owners ever realizing it.
It’s a horrifying possibility. But this isn’t dystopian fiction. On August 17, 2021, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA), the Mandiant team disclosed a critical risk vulnerability that affects approximately 83 million IoT devices that use the ThroughTek “Kalay” network. That means 83 million devices were at risk of being remotely taken over by hackers.
This story is a five-alarm fire alerting us to the need to build more secure streaming technology to protect customers. But while the ThroughTek vulnerability should worry everyone in the video streaming industry, the company’s response to this security hole shows we are not taking this situation and its implications seriously enough. Here’s why, and what we need to do about it.
What happened at ThroughTek — and what they said about it
Let’s start with how the ThroughTek vulnerability became news. Hoping to find weaknesses before hackers do, security researchers are constantly scanning and investigating possible security problems in popular software/hardware solutions. In late 2020, these experts found a security hole in the Kalay software development kit (SDK) from ThroughTek, which is a solution designed to enable direct streaming of media from IoT devices (like smart baby monitors and security cameras) to end-users. When the issue became known, ThroughTek issued the following statement regarding mitigation of the security problem:
“This vulnerability has been addressed in SDK version 3.1.10 and onwards, which was released in 2018. We STRONGLY suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems… If SDK is 3.1.10 or above, please enable AuthKey and DTLS. If SDK is below 3.1.10, please upgrade to library 3.3.1.0 or 3.4.2.0 and enabling AuthKey and DTLS.” [emphasis mine]
While I’m sure this statement is true (at least, as far as ThroughTek knows), it is possibly the most ridiculous advice I have ever seen for security mitigation. Not because of what it directly says, but because of what it implies. It states that the users should “use firmware that actually has encryption capabilities,” and “use encryption.” This is the technology equivalent of telling a customer: “Close the front door when you leave your house; oh, and you should probably have a front door on your house too.”
While there’s nothing wrong with expecting customers to keep their SDKs updated, here’s the million-dollar question: How, in today’s world of interconnected devices and aggressive hackers, did ThroughTek fail to secure their streaming this badly to begin with?
A crash course in audio/video streaming security
I’m going to get into some conjecture here, but I’d like to go over the two main areas where a typical video streaming solution can have security holes. Given this picture from ThroughTek, as well as the statements above, it appears they have problems in both major areas.
First, there is the signaling. Consider your mobile phone. When someone across the country dials your phone number, signaling is what tells your phone to ring. Your phone maintains a constant connection to your wireless service provider, and when your number is dialed by your friend or co-worker, a signal is sent to the provider, which works through the system until it notifies your phone, which rings. That’s signaling.
Second, there is the media stream. Once your phone rings, you pick it up. Notifications go back and forth, and then the audio starts to stream from one side to the other, and you can hear your companion talking.
An IoT streaming service works the same way. A connection is held open from the IoT device to the streaming gateway (the “cell phone” to “service provider” connection), and the gateway is responsible for passing along notifications to parties that wish to connect to one another.
Once the signaling completes, media (audio/video) can flow, and you can start to see and hear one another. This media flow has to be authorized by the original signaling handshake, and also has to be transmitted securely. A best practice would be to enforce DTLS 1.2 (datagram transport layer security) for transmitting media securely.
These two components (signaling and media) make up the core elements of any audio/video streaming solution. They also scale up very differently and can use completely different technology and protocols, etc. This means they are usually treated differently from start to finish, including from a security point of view.
Their signaling was not secure
Signaling can be done over any number of channels, but these days the most common is the standard HTTPS request, or its cousin the WebSocket. Both these protocols fully support TLS encryption (SSL and TLS are often used interchangeably, though they are not equivalent.). According to the CISA report, versions of the Kalay SDK that were affected included “SDK versions with the nossl tag.”
This is a massive red flag. It indicates ThroughTek shipped Kalay SDK versions to customers, in production, without any encryption (“nossl”) at all on the signaling! This is appallingly negligent, the equivalent of selling customers a new house without a front door. Any signaling information sent to or from the IoT devices could easily be intercepted and manipulated.
TLS security should always default to on and should be enforced. This can introduce challenges when getting started — SSL and TLS certificates can be a pain to implement, and developers can certainly add overrides and exceptions. But this is one case where security beats usability, and anyone thinking about disabling the defaults should think long and hard.
Their audio and video streams were likely unencrypted
The CISA report on this vulnerability also noted that “(d)evice firmware using the AVAPI module without enabling DTLS mechanism” was also vulnerable to attack. DTLS refers to Datagram TLS, which is basically just encryption for data sent using the “UDP” protocol. All those acronyms aside, this typically would mean that the actual audio and video streams (“the media”) were also sent completely unencrypted.
A best-practice approach would be, after setting up a secured signaling channel, to use DTLS fingerprinting and auto-generated anonymous ECSDA keys with perfect forward secrecy to ensure the entire media stream is completely encrypted, using AES encryption. Anything less would be an open invitation to hackers everywhere.
Streaming security isn’t sexy, but it is crucial
The ThroughTek vulnerability has highlighted the overall lack of attention paid to security by a huge portion of the video streaming industry. While this is a serious problem, it’s not hard to understand why it happened: Streaming security isn’t sexy, and it’s only a problem when it isn’t there. But without it, the devices we rely on for everyday streaming (from baby monitors to security cameras to DVRs) are completely exposed. In our hyper-connected age, we already choose to share enough of our lives — the last thing we need is to expose anything we have NOT chosen to share.
It’s crucial that live streaming SDKs ensure all signaling and audio/video communication goes over encrypted channels instead of outsourcing security to users. It’s not enough to tell them to lock the front door when the house you sold doesn’t have a door at all.
In a world where privacy is constantly eroded, data is king, and devices are more and more interconnected, now more than ever security must be put at the forefront of any commercial solution. If you want to protect your intellectual property, safeguard your home and family, or just don’t want strangers prying into your business, be sure your streaming solution providers put security and privacy at the forefront, not as an afterthought.
More content at plainenglish.io
