Latest News & Notices
About ThroughTek’s Kalay Platform Security Mechanism
Issue Time: June 2021
Recently ThroughTek Co., Ltd. (hereinafter referred to as TUTK) has discovered many customers has incorrectly implemented our SDK or have disregarded our SDK version updates.
We have previously discovered a vulnerability within the P2P library TUTK implemented in SDK up to and including 3.1.5. The main concern is that this vulnerability may cause IOTC encryption to be compromised. This vulnerability has been addressed in SDK version 3.1.10 and onwards, which was released in 2018. We STRONGLY suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems.
On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.
Affected SDK version and Firmware Implementation
1. All versions below 3.1.10
2. SDK versions with nossl tag
3. Device firmware that does not use AuthKey for IOTC connection
4. Device firmware that uses AVAPI module without enabling DTLS mechanism
5. Device firmware that uses P2PTunnel or RDT module
1. Device spoofed
2. Device certificate hijack
3. Private data/video leakage
Action to take
1. 1.If SDK is 3.1.10 and above, please enable Authkey and DTLS
2. If SDK is below 3.1.10, please upgrade library to 22.214.171.124 or 126.96.36.199 and enable Authkey/DTLS
Required skills for successful exploitation
1. A deep knowledge of network security
2. Knowledge of network sniffer tools
3. A deep knowledge of encryption algorithm