Set of bugs puts software company and IoT device makers into motion

Cybersecurity researchers and Internet of Things (IoT) technology companies say they worked together to eliminate four software vulnerabilities that could have given malicious hackers deep access to networks.

The bugs were in Kalay, a tool that companies deploy to manage and communicate with the IoT devices they produce. Kalay users include device manufacturer Roku, the baby monitor maker Owlet and wireless camera seller Wyze. 

More than 100 million devices worldwide could be affected based on the number of vendors using the tool. Researchers from cybersecurity company Bitdefender framed it as a potentially serious software supply-chain issue. 

Due to Kalay’s “massive presence in IoT integrations, these flaws have a significant downstream impact on several vendors,” Bitdefender said.

The announcement comes as hackers continue to exploit vulnerabilities in IoT devices for access into home networks and for botnets — which use compromised devices to put added weight behind powerful distributed denial-of-service (DDoS) attacks. Devices typically found in homes have even been abused by nation-state actors preparing for larger, more destructive attacks.  

In October, Bitdefender disclosed the vulnerabilities to ThroughTek, the Taiwanese tech giant that makes Kalay. All versions of the software were patched by mid-April.

Yi-Ching, a member of the Product Security Incident Response Team at ThroughTek, told Recorded Future News that since the end of 2023, the company released an advisory in January and worked with affected vendors in addressing the vulnerabilities.

Yi-Ching said end users have to update their devices to the latest version to “ensure there are no security concerns.” It is unclear which vendors issued the patches as part of automatic updates or which require user action.

Bitdefender confirmed with ThroughTek in April that all affected vendors have a patch available. 

Bitdefender explained that when chained together, different combinations of the vulnerabilities could have allowed a hacker to fully compromise devices. The researchers published separate white papers describing each potential attack.

A focus on three brands

The security company tested the vulnerabilities on devices made by Owlet, Roku and Wyze.

Owlet uses the ThroughTek Kalay solution to communicate with its devices over the internet and is affected by three of the vulnerabilities. A spokesperson for the company said the company immediately began an investigation after being informed of the vulnerabilities.

“All vulnerabilities identified have since been addressed and we have no evidence that any vulnerabilities were exploited prior to fixing,” an Owlet spokesperson said.

All of the company’s cameras and mobile apps have been forced to update and the company urged customers to take personal measures — like changing passwords — to protect their home network.

The vulnerabilities also affect the Roku Indoor Camera SE, allowing a hacker to take control of the camera. A Roku spokesperson said a mandatory patch was issued in January and that an attack could only be launched if the hacker had access to the device owner’s WiFi network. Like Owlet, Roku urged customers to have strong WiFi passwords to protect their personal network. 

Wyze did not respond to requests for comment about the vulnerabilities. 

“The ramifications of these vulnerabilities extend far beyond the realm of theoretical exploits, as they directly impact on the privacy and safety of users relying on devices powered by ThroughTek Kalay,” Bitdefender said. 

Bitdefender provided more technical advisories for each of the products using ThroughTek’s technology. 

ThroughTek said it has prioritized cybersecurity by “implementing multiple layers of protection from cloud servers, firmware/software technology, to encryption verification mechanisms.”