Latest News & Notices

About ThroughTek’s Kalay Platform Security Mechanism

Issue Time: June 2021

Dear Partners,

Recently ThroughTek Co., Ltd. (hereinafter referred to as TUTK) has discovered many customers has incorrectly implemented our SDK or have disregarded our SDK version updates.
We have previously discovered a vulnerability within the P2P library TUTK implemented in SDK up to and including 3.1.5. The main concern is that this vulnerability may cause IOTC encryption to be compromised. This vulnerability has been addressed in SDK version 3.1.10 and onwards, which was released in 2018. We STRONGLY suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems.
On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.

 

Affected SDK version and Firmware Implementation

1. All versions below 3.1.10
2. SDK versions with nossl tag
3. Device firmware that does not use AuthKey for IOTC connection
4. Device firmware that uses AVAPI module without enabling DTLS mechanism
5. Device firmware that uses P2PTunnel or RDT module

Impacts

1. Device spoofed
2. Device certificate hijack
3. Private data/video leakage

Action to take

1. 1.If SDK is 3.1.10 and above, please enable Authkey and DTLS
2. If SDK is below 3.1.10, please upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS
Required skills for successful exploitation
1. A deep knowledge of network security
2. Knowledge of network sniffer tools
3. A deep knowledge of encryption algorithm

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close

Bitnami