| Recurring |
one_organization, multiple_organization |
(a) The software failure incident has happened again at one_organization:
- The vulnerability in the ThroughTek Kalay SDK, which allows attackers to access live video and audio streams from smart devices, has been reported by researchers from Mandiant and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency [117823].
- ThroughTek, the company behind the Kalay platform, has been struggling to get customers to update their devices to mitigate the vulnerability, even though the necessary fixes have been available for several years [117823].
(b) The software failure incident has happened again at multiple_organization:
- Researchers from Nazomi Networks recently disclosed a different vulnerability in the Kalay platform that could also be exploited to access live audio and video feeds [117823].
- There have been warnings for years about the security implications of prefab IoT platforms like Kalay, indicating that similar vulnerabilities may exist in other similar platforms used by different organizations [117823]. |
| Phase (Design/Operation) |
design, operation |
(a) The software failure incident related to the design phase is evident in the vulnerability discovered in the ThroughTek Kalay SDK. The critical bug was found in the registration mechanism between devices and their mobile applications, specifically revolving around each device's unique Kalay identifier (UID). This flaw allowed attackers to hijack the connection by reregistering the UID, leading to unauthorized access to sensitive information and remote control of devices [117823].
(b) The software failure incident related to the operation phase is highlighted by the difficulty in getting customers to update their devices en masse. Despite the availability of a fix in the form of turning on two optional Kalay features, encrypted communication protocol DTLS, and API authentication mechanism AuthKey, many customers hesitated to upgrade due to concerns about connection speed. This operational challenge contributed to the persistence of the vulnerability in a significant number of devices even after three years of the initial alert [117823]. |
| Boundary (Internal/External) |
within_system, outside_system |
(a) The software failure incident related to the vulnerability in the ThroughTek Kalay SDK can be categorized as within_system. The critical bug was discovered within the registration mechanism between devices and their mobile applications, specifically related to the unique Kalay identifier (UID) and the protocol used by Kalay. This flaw allowed attackers to hijack connections and gain unauthorized access to sensitive information and control over the devices [117823].
(b) The software failure incident can also be categorized as outside_system as the vulnerability stemmed from the software development kit (ThroughTek Kalay) that is integrated into various smart devices manufactured by different companies. The flaw was not limited to a single manufacturer but affected a wide range of devices using the Kalay platform, highlighting the external nature of the vulnerability that permeated over 83 million devices and a billion internet connections each month [117823]. |
| Nature (Human/Non-human) |
non-human_actions, human_actions |
(a) The software failure incident in this case is primarily due to non-human actions, specifically a critical vulnerability in the ThroughTek Kalay software development kit (SDK) that allows attackers to access live video and audio streams, take control of devices remotely, and potentially exploit sensitive information without human involvement [117823]. The vulnerability lies in the registration mechanism between devices and their mobile applications, allowing attackers to hijack connections and manipulate devices through the Kalay platform [117823].
(b) However, human actions also play a role in exacerbating the situation. For instance, the failure to update devices with the necessary security patches and enable protective features like encrypted communication protocol DTLS and API authentication mechanism AuthKey contributes to the persistence of the vulnerability [117823]. Additionally, the delayed response from manufacturers and customers in updating the SDK and implementing necessary security measures highlights the human factor in addressing and mitigating the software failure incident [117823]. |
| Dimension (Hardware/Software) |
software |
(a) The software failure incident reported in the article is primarily related to software vulnerabilities in the ThroughTek Kalay SDK, which is used in various smart devices such as security cameras, DVRs, and baby monitors. The vulnerability allows attackers to access live video and audio streams, take control of the devices remotely, and potentially exploit sensitive information or perform remote code execution [117823].
(b) The software failure incident is specifically attributed to a critical bug in the registration mechanism between devices and their mobile applications, which is a software-related issue. The flaw in the UID registration process allows attackers to hijack connections, obtain special credentials, and control devices remotely without the user's knowledge. The vulnerability is in the software development kit (SDK) provided by ThroughTek, highlighting a software-related failure [117823]. |
| Objective (Malicious/Non-malicious) |
malicious |
(a) The software failure incident described in the article is malicious in nature. The vulnerability in the ThroughTek Kalay SDK could allow an attacker to access live video and audio streams, take full control of smart devices remotely, retrieve sensitive information, perform remote code execution, and potentially install malicious firmware on target devices [117823]. The flaw in the registration mechanism between devices and their mobile applications can be exploited by attackers to hijack connections and gain unauthorized access to devices, demonstrating malicious intent to harm the system. |
| Intent (Poor/Accidental Decisions) |
accidental_decisions |
(a) The intent of the software failure incident was not due to poor decisions but rather due to mistakes or unintended decisions. The vulnerability in the ThroughTek Kalay SDK that led to the software failure incident was discovered by researchers from the security firm Mandiant, who then disclosed it in conjunction with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency [117823]. The incident was not a result of poor decisions but rather a critical bug in the registration mechanism between devices and their mobile applications, which allowed attackers to exploit the flaw and gain unauthorized access to sensitive information and control over the devices remotely. |
| Capability (Incompetence/Accidental) |
development_incompetence |
(a) The software failure incident in the article is related to development incompetence. The vulnerability in the ThroughTek Kalay SDK, affecting millions of smart devices, was discovered by researchers from the security firm Mandiant. They found a critical bug in the registration mechanism between devices and their mobile applications, allowing an attacker to hijack the connection and take full control of the gadgets remotely [117823].
(b) The software failure incident can also be attributed to accidental factors. The vulnerability in the ThroughTek Kalay SDK was not intentionally created but was a result of a flaw in the registration mechanism that could be exploited by attackers. The company, ThroughTek, acknowledged the vulnerability and worked with Mandiant to address the issue by recommending manufacturers to enable two optional Kalay features to mitigate the risk [117823]. |
| Duration |
permanent |
(a) The software failure incident described in the article is more of a permanent nature. The vulnerability in the ThroughTek Kalay SDK, which allows attackers to access live video and audio streams, take full control of devices remotely, and potentially exploit sensitive information, is a critical flaw that persists until the necessary security measures are implemented [117823]. Despite the availability of updates and optional features to mitigate the vulnerability, the challenge lies in getting all affected devices to apply these fixes, leading to a prolonged period of exposure to potential attacks. |
| Behaviour |
omission, value, other |
(a) crash: The software failure incident described in the article does not involve a crash where the system loses state and does not perform any of its intended functions.
(b) omission: The vulnerability in the software allows an attacker to access live video and audio streams over the internet and take full control of the gadgets remotely. This can be considered an omission failure as the system omits to protect the devices from unauthorized access [117823].
(c) timing: The software failure incident is not related to timing issues where the system performs its intended functions but at the wrong time.
(d) value: The vulnerability in the software allows attackers to control the devices remotely, access sensitive information, view video feeds in real-time, potentially install malicious firmware, and perform denial of service attacks. This can be considered a value failure as the system performs its intended functions incorrectly by allowing unauthorized access and control [117823].
(e) byzantine: The software failure incident does not involve a byzantine failure where the system behaves erroneously with inconsistent responses and interactions.
(f) other: The other behavior observed in this software failure incident is the exploitation of a critical bug in the software development kit that allows attackers to hijack connections, access sensitive information, and control devices remotely without the user's knowledge [117823]. |