Full Report
Since 2014, Bitdefender IoT researchers have been looking into the world's most popular IoT devices, hunting for vulnerabilities and undocumented attack avenues. This report documents four vulnerabilities affecting devices powered by the ThroughTek Kalay Platform. Due to the platform’s massive presence in IoT integrations, these flaws have a significant downstream impact on several vendors. In the interconnected landscape of the Internet of Things (IoT), the reliability and security of devices,
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in ThroughTek Kalay Platform (CVE-2023-6321 through CVE-2023-6324)
## CVE Details
- CVE ID: CVE-2023-6321, CVE-2023-6322, CVE-2023-6323, CVE-2023-6324
- CVSS Score: N/A (No explicit high-level score provided, but chaining leads to root/RCE)
- CWE: N/A (Multiple weaknesses are implied)
## Affected Systems
- Products: ThroughTek Kalay Platform (SDK used by numerous IoT vendors)
- Versions: Specific vulnerable SDK versions (Must consult vendor-specific advisories/whitepapers for exact versions). Affected devices include:
- Owlet Cam v1 and v2
- Wyze Cam v3
- Roku Indoor Camera SE
- Configurations: Affects devices using the Kalay platform, often surveillance/security cameras. Local network access is often a prerequisite for full exploitation.
## Vulnerability Description
This report covers four related vulnerabilities in the ThroughTek Kalay Platform used extensively in IoT devices (over 100 million globally). These flaws can be chained together to enable unauthorized root access from the local network, potentially leading to remote code execution (RCE) after initial local probing.
The four distinct vulnerabilities are:
1. **CVE-2023-6321:** Allows an authenticated user to run system commands as the `root` user, leading to full device compromise (specifically linked to an issue within IOCTL message `0x6008E` related to OTA update unpacking on Owlet Cam).
2. **CVE-2023-6322:** A stack-based buffer overflow in the handler of an IOCTL message (`0x284C`), often used for configuring motion detection zones, which can lead to root access (specific to Wyze Cam v3 and Roku Camera SE).
3. **CVE-2023-6323:** Allows a local attacker to obtain the `AuthKey` secret, facilitating a preliminary connection to the victim device.
4. **CVE-2023-6324:** Allows attackers to infer the pre-shared key (PSK) for a DTLS session, a prerequisite for connecting to the device.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC/chaining exists and led to vendor fixes.
- Complexity: Medium to High (Chaining is required for full compromise; initial steps often require local network access or authentication).
- Attack Vector: Primarily **Local** network access required, though chaining can facilitate RCE after initial probing.
## Impact
- Confidentiality: High (Root access allows access to all stored data).
- Integrity: High (Full device compromise, arbitrary code execution).
- Availability: High (Device could be rendered inoperable or used in botnets).
## Remediation
### Patches
- The vendor (ThroughTek) confirmed that all affected SDK versions have been patched as of April 16, 2024.
- **Action Required:** Affected vendors (Owlet, Wyze, Roku, etc.) must deploy updated firmware containing the patched SDK. Users should check for firmware updates for specific devices.
### Workarounds
- No specific vendor workarounds were detailed in this summary, as patches were released.
- General mitigation strategies would involve isolating vulnerable IoT devices behind a firewall or restricting local network trust until firmware updates are applied.
## Detection
- Detection methods would likely focus on analyzing network traffic for anomalies related to the specific IOCTL messages mentioned (`0x6008E` and `0x284C`) or attempts to negotiate DTLS sessions without proper credentials (related to CVE-2023-6324).
- Indicators of Compromise (IOCs): Unexplained system command execution, unexpected firmware update processes, or unauthorized root shell access detected on the device logs/filesystem.
## References
- Vendor advisories for Owlet Cam, Wyze Cam v3, and Roku Indoor Camera SE must be consulted for specific patch versions.
- Whitepaper (General Overview): hxxps://blogapp.bitdefender.com/labs/content/files/2024/05/Bitdefender-PReport-owlet-7745-pdf (Check vendor sites for non-defanged links specific to the Coordinated Vulnerability Disclosure date).