Latest News & Notices
About ThroughTek’s Kalay Platform Security Mechanism
Issue Time: June 2021
Dear Partners,
ThroughTek Co., Ltd. (hereinafter referred to as TUTK) has previously discovered a vulnerability within the P2P library TUTK implemented in SDK up to and including 3.1.5. The main concern is that this vulnerability may cause IOTC encryption to be compromised. This vulnerability has been addressed in SDK version 3.1.10 and onwards, which was released in 2018. We STRONGLY suggest that you review the SDK version applied in your product and follow the instructions below to avoid any potential problems.
On this note, we would like to encourage you to keep a close watch to our future SDK releases in response to new security threats. If you have any further questions, please do not hesitate to contact your TUTK contact window for further assistance.
Affected SDK version and Firmware Implementation
1. All versions below 3.1.10
2. SDK versions with nossl tag
3. Device firmware that does not use AuthKey for IOTC connection
4. Device firmware that uses AVAPI module without enabling DTLS mechanism
5. Device firmware that uses P2PTunnel or RDT module
Impacts
1. Device spoofed
2. Device certificate hijack
3. Private data/video leakage
Action to take
1. 1.If SDK is 3.1.10 and above, please enable Authkey and DTLS
2. If SDK is below 3.1.10, please upgrade library to 3.3.1.0 or 3.4.2.0 and enable Authkey/DTLS
Required skills for successful exploitation
1. A deep knowledge of network security
2. Knowledge of network sniffer tools
3. A deep knowledge of encryption algorithm