Full Report
Since 2014, Bitdefender IoT researchers have been looking into the world's most popular IoT devices, hunting for vulnerabilities and undocumented attack avenues. This report documents four vulnerabilities affecting devices powered by the ThroughTek Kalay Platform. Due to the platform’s massive presence in IoT integrations, these flaws have a significant downstream impact on several vendors. In the interconnected landscape of the Internet of Things (IoT), the reliability and security of devices,
Analysis Summary
# Vulnerability: Multiple Critical Flaws in ThroughTek Kalay Platform Affecting Major IoT Devices
## CVE Details
- CVE ID: CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, CVE-2023-6324
- CVSS Score: Not explicitly provided for individual CVEs, but the collective impact suggests High/Critical severity (Root compromise possible).
- CWE: Generic: Logic Error (implied by command execution/buffer overflow)
## Affected Systems
- Products: ThroughTek Kalay Platform (SDK), Owlet Cam v1 and v2, Wyze Cam v3, Roku Indoor Camera SE.
- Versions: Affected SDK versions were patched by April 16, 2024. Specific vulnerable firmware versions are available in vendor-specific reports listed in the references.
- Configurations: Vulnerabilities are chained; some require local network access or specific features (e.g., motion detection zones, OTA updates) to be utilized fully.
## Vulnerability Description
This summary covers four vulnerabilities in the ThroughTek Kalay Platform, which powers over 100 million IoT devices. The flaws can be chained to achieve unauthorized root access and remote code execution (RCE) from within the local network.
1. **CVE-2023-6321 (Authenticated Command Execution):** Allows an authenticated user to execute system commands as the `root` user. On the Owlet Cam, this is tied to IOCTL message `0x6008E` used for unpacking OTA updates.
2. **CVE-2023-6322 (Stack Buffer Overflow):** A stack-based buffer overflow in the handler for an IOCTL message (`0x284C`), often used for motion detection zone configuration. This can lead to root access.
3. **CVE-2023-6323 (AuthKey Exposure):** Allows a local attacker to obtain the `AuthKey` secret, facilitating preliminary connection establishment.
4. **CVE-2023-6324 (DTLS Pre-Shared Key Inference):** Allows attackers to infer the pre-shared key used for DTLS sessions, a prerequisite for connecting to the device.
## Exploitation
- Status: PoC available (implied, as detailed write-ups exist showing chaining).
- Complexity: Requires chaining of vulnerabilities. Initial access for full compromise seems to require a local network presence, though some steps (like key inference) might set up remote execution later.
- Attack Vector: Primarily Local Network access required for initial key retrieval/privilege escalation, leading to remote code execution if chaining is successful.
## Impact
- Confidentiality: High (Root access facilitates full data access).
- Integrity: High (Ability to execute arbitrary code as root allows modification of system integrity).
- Availability: High (Root access can lead to device denial of service or persistent control).
## Remediation
### Patches
- ThroughTek patched all affected SDK versions by April 16, 2024.
- Affected vendors (including Owlet, Wyze, and Roku) have released updated firmware containing these fixes. Users must update their devices.
### Workarounds
- No specific workarounds were detailed, as patches were released promptly. General mitigation strategies (listed below) are recommended until patches are applied.
## Detection
- **Indicators of Compromise (IoCs):** Unauthorized execution of root commands, unusual network activity related to DTLS handshakes, or unexpected device behavior following local network reconnaissance.
- **Detection Methods and Tools:** Monitoring network traffic for anomalous IOCTL message exchange patterns, especially related to motion detection configuration or OTA package handling. Analyzing device logs for root privilege escalations.
## References
- Vendor advisories: Contacted ThroughTek responsibly disclosed issues.
- Relevant links:
- CVE-2023-6321 details: defanged.cve.org/CVERecord?id=CVE-2023-6321
- CVE-2023-6322 details: defanged.cve.org/CVERecord?id=CVE-2023-6322
- CVE-2023-6323 details: defanged.cve.org/CVERecord?id=CVE-2023-6323
- CVE-2023-6324 details: defanged.cve.org/CVERecord?id=CVE-2023-6324
- Owlet Whitepaper: defanged.blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-PReport-owlet-7745.pdf
- Wyze Whitepaper: defanged.blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-PReport-Wyze-7745.pdf
- Roku Whitepaper: defanged.blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-PReport-roku-7745.pdf