Spy attack: Critical bug exposes millions of devices’ camera data and audio to hackers

smart devices, cybersecurity,Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices
Critical ThroughTek SDK Bug Could Let Attackers Spy On Millions of IoT Devices

Cybersecurity researchers said Tuesday they discovered a flaw that exposes live video data and audio from millions of internet-connected devices to hackers.

The vulnerability affects more than 83 million devices that use ThroughTek’s Kalay network, according to the cybersecurity firm FireEye’s Mandiant division. ThroughTek is a technology company started in Taiwan that services “internet-of-things” (IoT) devices and develops software.

This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real-time video data, and compromise device credentials for further attacks based on exposed device functionality,” Mandiant said in a statement. “These further attacks could include actions that would allow an adversary to remotely control affected devices.

Mandiant said it coordinated with the federal Cybersecurity and Infrastructure Security Agency (CISA), which did not immediately respond to requests for comment. In June, CISA published an advisory warning of a vulnerability in ThroughTek software that could expose sensitive information to hackers.

The latest discovered software vulnerability differs from the previous discovery in that Mandiant said the flaw it unearthed allows cyberattackers to communicate with devices remotely.

Precisely which devices are affected remains unclear. Mandiant said it could not develop a comprehensive list of vulnerable devices, but ThroughTek’s website states that more than 83 million devices use Kalay and 1.1 billion connections are made on the platform per month.

According to ThroughTek’s website, the Kalay platform’s supported products for its smart-home offerings include security cameras such as those used for baby monitors, video door phones, home appliances, smart locks, smart robots, personal cloud storage devices and many other devices. The company’s website said its home video surveillance products support Amazon Alexa and Google Home Assistant.

In order to exploit the problem, Mandiant said, a hacker would need comprehensive knowledge of the Kalay protocol and obtain Kalay unique identifiers registered to individual devices that hackers could access through manipulating someone or by finding other flaws in the products.

Yi-Ching Chen, a ThroughTek employee, said the company notified customers about the flaw and how to address it. The employee said in an email that the company takes cybersecurity seriously and thought the vulnerability would only happen when someone’s Wi-Fi was compromised.

We have a dedicated software test team to assure our software is built with great quality and security and perform penetration tests periodically,” said the ThoughTek employee. “Furthermore, we collaborate with our customers to have security assessments performed by third-party pen-testers.

Mandiant’s stated partnering with the federal government looks to be a harbinger for how future problems are made public, as FireEye Mandiant is participating in the Joint Cyber Defense Collaborative established by CISA to link the law enforcement and national security communities with private tech companies to combat hackers.

Mandiant listed the researchers responsible for discovering the vulnerability in ThroughTek’s product as Erik Barzdukas, Dillon Franke and Jake Valletta.


  1. I have a dumb house. No smart phone, no ring db, not even a smart tv. Smart tech gives me ocular migraines. I don’t miss any of it.

  2. That’s crazy stupid. I try and keep my house low tech, so I can fix stuff if it breaks. You could see from the beginning alot of tech was trojan horse for spying on end users.
    Probably how politicians get blackmailed into submission.

    • Think about it. Some political buttclown goes down the stroll. Picks up and underage buttclown. Gets home, and his video cam records him.
      Then so his wife doesn’t find, he submits to the enslavement of the satanist butt-puppet master, and does their bidding. Same principle as PedoEpstein island. Or Hefner’s dungeon.

      I think it’s from having the spirit of satan on earth. We have the Holy Spirit, and they have the unholy spirit of satan. So we will live through an epic battle probably, and see crazy stuff go down.

      Like state sponsored terrorism, psyops, and bioweaponized invaders crossing our border. Notice how the satanic elitists use Alinsky tactics? Well, he dedicated his book to lucifer, and was supposedly a pedohomo. That’s who these people worship.


Leave a reply

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.