Kaylay Platform Vulnerability Compromises Smart Home Security

By Anthony Eich on September 17, 2021

Executive Summary

A new Critical Vulnerability and Exposure (CVE) that effects over 83 million Internet of Things (IoT) security devices has been found in the cloud platform of ThroughTek Co., Kaylay. With this vulnerability, malicious actors in possession of a device unique identifier (UID) can gain impersonate a ThroughTek device resulting in the attacker hijacking the victim’s connection and then forcing them to supply credentials needed to access the wireless surveillance devices. (MITRE, 2021) With that access they would potentially be able to listen to audio and access live video footage. An update has been issued by company, but in order to be effective, end users are required to download and install the new software patch.


ThroughTek is a Taiwan based company producing products focusing on management technology for wireless security and surveillance devices. They are well known for their IoT cloud platform, Kaylay, which is what their IoT devices use to interconnect. There are over 83 million devices deployed world-wide (Valletta, 2021) that are dependent on the company’s cloud platform, including video cameras and baby monitors. Kaylay was updated in late 2019 with the release of Kaylay 2.0 with the goal of a “decentralized architecture to create more efficient connections, simplified integration processes, and reinforced data security.” On August 17 the cybersecurity company Mandiant was the first to disclose the vulnerability categorized by the MITRE Corporation as, CVE-21-28372. (MITRE, 2021) Researchers at Mandiant used several processes to discover the bug. By downloading applications from Google Play and the Apple App Store that contained ThroughTek libraries, they were able to reverse engineer the programs using tools such as Frida, gdb and Wireshark. This allowed the researchers to develop a tool that would allow them to emulate the Kaylay protocol which they could then use to exploit ThrougTek’s devices. This type of vulnerability is classified as “Authentication Bypass by Spoofing” (CWE, n.d.).


Due to the potential severity of the damages that could be caused by this attack, MITRE has given the vulnerability an initial Common Vulnerability Scoring System (CCVSS) score of 9.6 (CVE-2021-28372 Detail, 2021), which is very high and denotes a critical vulnerability being widely applicable with high risk of system compromise. ThroughTek has added a page to their website that is dedicated to addressing the vulnerability, describing what the problem is and pointing to resources. Once resource points to CVE-2021-32934 which when searched on the MITRE Corporation’s website is a reservation, without data being provided. This could point to another vulnerability that has not yet been made publicly know. In addition to a fact sheet regarding this bug, ThroughTek has provided updates to its Kaylay protocol that are now available for download, but end users will have to manually update their devices for the patch to take effect. Until that patch is in place, end users will remain vulnerable to an attack that can allow attackers to remotely take control of the connected devices, potentially using these surveillance devices to spy on homeowners and enact even further attacks. Recommendations from Mandiant to mitigate this type of vulnerability in the future include ensuring that IoT device manufactures apply stringent controls around Application Web Interfaces (APIs) used to obtain Kaylay UIDs, usernames, and passwords. Failure to do so could result in attackers being able to identify many UIDs, allowing for the compromise of a massive number of devices.


More and more, the Internet of Things is being used to connect the world. Surveillance devices that are connected to the Internet are intended to provide a safer environment for homeowners and businesses. However, every advancement in this technology comes with opportunities for those industrious enough to do the research to find vulnerabilities, and with every vulnerability exposed there will be those who seek to exploit them. ThroughTek is not the first company to have been found lacking in the security of their devices. Others such as Ring have also come under fire recently for the lack of security embedded in their products. (O’Donnell, 2019) Anyone using wireless devices to monitor their homes should be aware of the inherent possibility that these systems can be turned against them. All precautions should be made to ensure that systems are regularly updated, passwords are of proper length and complexity to avoid being cracked, and that other identifying information, such as device id numbers, are appropriately obfuscated. Even in doing so, attackers may still be able to find a way to exploit these systems and so consumers of IoT products should be aware of these possibilities before they employ these in their homes and places of business.


CVE-2021-28372 Detail. (2021, August 18). Retrieved September 15, 2021, from NATIONAL VULNERABILITY DATABASE: https://nvd.nist.gov/vuln/detail/CVE-2021-28372

CWE. (n.d.). CWE-290: Authentication Bypass by Spoofing. Retrieved September 15, 2021, from Common Weaknesses Enumeration: http://cwe.MITRE.org/data/definitions/290.html

MITRE. (2021, 03 13). CVE-2021-28372. Retrieved 9 15, 2021, from CVE: https://cve.MITRE.org/cgi-bin/cvename.cgi?name=CVE-2021-28372

O’Donnell, L. (2019, December 18). Ring Plagued by Security Issues, Flood of Hacks. Retrieved September 15, 2021, from threatpost: https://threatpost.com/ring-plagued-security-issues-hacks/151263/

Valletta, J. (2021, August 17). Threat Research Blog. Retrieved 9 15, 2021, from Fireeye: https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html