Quote:Security researchers have discovered a critical flaw that affects tens of millions of internet-of-things (IoT) devices – one that exposes live video and audio streams to eavesdropping threat actors and which could enable attackers to take over control of devices, including security webcams and connected baby monitors.
 
The flaw, tracked as CVE-2021-28372 and FEYE-2021-0020 and assigned a critical CVSS3.1 base score of 9.6, was found in devices connected via ThroughTek’s Kalay IoT cloud platform.
 
The alarm was sounded on Tuesday by Mandiant, in coordination with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek. Mandiant’s Red Team discovered the vulnerability in late 2020.
 
“CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately,” according to Mandiant’s post. “Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device.”

As Mandiant explained, the flaw would enable adversaries “to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.”