Feye-2021-0020 Vulnerability Description ThroughTek's Kalay Platform 2.0 network allows an attacker to impersonate an arbitrary ThroughTek (TUTK) device if they have a valid 20-byte UID. This could result in the attacker hijacking a victim's connection and forcing them to supply credentials needed to access the victim's TUTK device. Impact Very High - An attacker could remotely compromise victim Kalay-enabled devices with root-level privileges. Exploitability High - An attacker needs a victim's TUTK UID to exploit. After obtaining it, they can maliciously register the UID on Kalay, impersonate the victim's device, and steal their credentials when the victim attempts to connect. CVE Reference CVE-2021-28372 Technical Details The vulnerability stems from the registration process requiring only a device's UID. An attacker with a victim's UID can register a device with the same UID, leading Kalay servers to overwrite the existing device. This allows the attacker to intercept and obtain the victim's authentication materials. Resolution ThroughTek and Mandiant recommend original equipment manufacturers: For SDK v3.1.10 and above, enable authkey and DTLS. For SDK pre-v3.1.10, upgrade to v3.3.1.0 or v3.4.2.0 and enable authkey/DTLS. Discovery Credits Jake Valletta Erik Barzdukas Dillon Franke Disclosure Timeline 2 May 2021: Issue reported to vendor 7 June 2021: Issue confirmed by ThroughTek 29 June 2020: Mandiant engages CISA for joint disclosure 13 August 2021: ThroughTek releases mitigation steps 17 August 2021: Mandiant & CISA advisory published ``` Note: Additional detailed references are in the snapshot.