Security researchers have reported a critical flaw affecting tens of millions of IoT devices. According to the researchers, a remote attacker could leverage the vulnerability to eavesdrop on live audio or take control of the device. The flaw was found in ThroughTek’s Kalay network, which is used in 83 million devices. The flaw also affects home monitoring devices such as baby monitors and security webcams. The vulnerability has been assigned a critical CVSS score of 9.6, making it very severe in nature. Mandiant released a report detailing the bug on Tuesday in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) and ThroughTek.
According to Mandiant, the vulnerability was discovered late last year and poses a huge risk to users’ security and privacy. Mandiant further stated that unprotected devices are also at risk for attack. An adversary would be able to remotely compromise an IoT device by exploiting the flaw and could compromise device credentials, watch real-time video data, and listen to live audio.