A security vulnerability has been found affecting several versions of ThroughTek Kalay P2P Software Development Kit (SDK), which could be abused by a remote attacker to take control of an affected IoT device and potentially lead to remote code executions.

The issue has been addressed in the security update ThroughTek Kalay P2P SDK v2.7.5 / v3.0.5 and v3.1.4 / v3.2.4, which is now available for download.

ThroughTek reminds users of the importance to keep their systems up-to-date in order to prevent such issues and protect themselves from potential cyber threats: as the same advisory states, “the use of outdated software may be subject to security risks.  In the worst case, a zero-day vulnerability is inherent to outdated software.  It is recommended to always upgrade the software to the latest available version in order to have the latest security updates.”

The ThroughTek Kalay P2P SDK, developed by ThroughTek and used in IoT devices manufactured by the Taiwanese company Hon Hai Precision Industry Co., Ltd. (better known as the “Foxconn” factory) is a popular software development kit that is widely used by Android developers to write applications for smartphones.

The security flaws affect different versions of the SDK, which are used to support embedded systems and mobile devices including smart TVs. The SDK could be exploited to gain remote control of controlled device functions.

There are believed to be 83 million active devices on the Kalay platform. The following versions of Kalay P2P SDK are impacted –

  • Version 3.1.5 and prior
  • SDK versions with the nossl tag
  • Device firmware that does not use AuthKey for IOTC connection
  • Device firmware using the AVAPI module without enabling DTLS mechanisms
  • Device firmware using P2PTunnel or RDT module

The security flaw identified by Kaspersky Lab researchers was reported to the vendor several months ago.

“The vulnerability allows an unauthorized remote attacker to execute arbitrary code in a privileged process through memory corruption,” according to the company blog. “It could be exploited for example in order to gain unauthorized access to information, modify or delete data, or cause a denial of service.”

ThroughTek has patched the problem and issued an update that addresses the security flaw, but unfortunately, it is too late for devices already sold as well as those that will be sold in the future.

Interested in reading more about IoT devices? Understanding the needs of IoT security discusses what an appropriate security system is when IoT devices are involved.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, IoT

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.