There’s an article in the news about IOT devices that use the kalay network, which consist of about 83 million devices and 1.1 billion connections per month, being vulnerable to a very simple attack that allows an attacker to intercept audio, video and steal credentials.
Do the Wyze devices use the Kalay network at all?
@WyzeTao 4 years ago on reddit:
We chose ThroughTek for multiple business reasons, but nothing related with the other service like Kalay surveillance. We used ThroughTek only for establishing P2P connection. All alert videos were directly transmitted between our cameras and AWS. ThroughTek knows nothing about our customer’s alert videos, nor do they know anything about our user’s information (like username and password). Hope that explains. Thanks!
Great find, @dr.know. See also
ThroughTek’s P2P network IS Kalay so if you used ThroughTek “only for establishing P2P connection” it would seem that you are using Kalay.
The Kalay protocol is implemented as a Software Development Kit (“SDK”) which is built into client software (e.g. a mobile or desktop application) and networked IoT devices, such as smart cameras.
There was a recent update to the V3 cameras. Is it in anyway related to this problem?
Interestingly V2 cams and other devices had a firmware update 21 July that includes “security improvements” but nothing similar is said in V3 release notes. V3 firmware seems on a different release schedule.
Also, the article quoted at the start of this thread seems to be a different vulnerability to the one reported by Mandient a few days ago:
Have no doubt that some Wyze products use ThroughTek Kalay, but which ones, and can/will this be fixed? These are the questions.