Notes on ThroughTek Kalay Vulnerabilities and Their Impact on the IoT Ecosystem

Bitdefender IoT researchers disclosed four high-severity vulnerabilities in the ThroughTek Kalay platform (CVE-2023-6321–6324) that, when chained, allow local attackers to obtain AuthKey/DTLS PSK material, escalate to root, and execute commands on affected IoT cameras. The findings impact multiple vendors (Owlet, Wyze, Roku and others using the Kalay SDK), a coordinated disclosure and firmware/SDK patches were arranged and released.