CVE-2021-28372

Name of the Vulnerable Software and Affected Versions ThroughTek Kalay Platform version 2.0 ThroughTek Kalay P2P SDK (affected versions not specified)

Description The issue is related to the bypass of authentication via spoofing, allowing a remote attacker to compromise IoT devices and gain unauthorized access to protected information. An attacker can impersonate an arbitrary ThroughTek (TUTK) device given a valid 20-byte uniquely assigned identifier (UID), potentially resulting in the hijacking of a victim's connection and forcing them to supply credentials needed to access the victim TUTK device. It is estimated that 83 million devices connected to the Kalay network are at risk. The vulnerability can be exploited to gain access to streaming video and audio, compromise home networks and credentials, and create botnets from compromised devices.

Recommendations For ThroughTek Kalay Platform version 2.0, update to the latest version Kalay 3.1.10 to resolve the issue. For ThroughTek Kalay P2P SDK, at the moment, there is no information about a newer version that contains a fix for this vulnerability.