Meeting Owl videoconferencing equipment used by the government is a security disaster

Owl Lab

Meeting Owl Pro is a video conferencing device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on the speaker, making meetings more dynamic and inclusive. Slightly taller than Amazon’s Alexa and shaped like a tree owl, these consoles are widely used by state and local governments, universities and law firms.

A recently released security analysis concluded that these devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and manage them. A litany of weaknesses includes:

  • The names, email addresses, IP addresses and geographic locations of all Meeting Owl Pro users are exposed in an online database that can be accessed by anyone who understands how the system works. This data can be used to map network topology or social engineering or dox employees.
  • The device provides anyone with access to it through an interprocess communication channel or IPC, and it is used to interact with other devices on the network.This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities discovered during the analysis
  • By default, the Bluetooth feature, designed to extend the range of the device and provide remote control, does not use a passcode, allowing a nearby hacker to take control of the device. Even if you choose to set a password, a hacker can disable it without providing it first.
  • An access point mode that creates a new Wi-Fi SSID while maintaining a connection to the organization’s network using a separate SSID. By leveraging Wi-Fi or Bluetooth capabilities, attackers can compromise Meeting Owl Pro devices and then use them as rogue access points to infiltrate data or malware into and out of the network.
  • Anyone with an understanding of how the system works can download captured images of the whiteboard session – which should only be used by meeting participants.

Obvious vulnerabilities remain unpatched

Researchers from Swiss and German security consulting firm modzero, which performs penetration testing, reverse engineering, source code analysis and risk assessment for its clients, discovered these while analyzing a videoconferencing solution on behalf of an unnamed client. threaten. The company first contacted Owl Labs, the maker of Meeting Owls in Somerville, Massachusetts, in mid-January to report their findings privately. As of the time this article was published on Ars, none of the most glaring vulnerabilities had been fixed, putting thousands of customer networks at risk.

In a 41-page security disclosure report (PDF), modzero researchers wrote:

While the operational characteristics of this product line are interesting, modzero does not recommend using these products until effective action is taken. Network and Bluetooth functions cannot be turned off completely. It is not even recommended to use Meeting Owl alone as a USB camera. An attacker within range of Bluetooth can activate network communication and gain access to critical IPC channels.

In a statement, Owl Labs officials wrote:

Owl Labs takes security very seriously: we have teams working to implement continuous updates to make our Meeting Owls smarter, fix security holes and bugs, and define a process for pushing updates to Owl devices.

We release monthly updates and many of the security issues highlighted in the original article have been addressed and will begin rolling out next week.

Owl Labs takes these vulnerabilities seriously. To our knowledge, there has never been any customer security breach. We have either addressed or are in the process of addressing other issues raised in the research report.

Here are the specific updates we’ve made to address the security vulnerabilities, which will roll out in June 2022 and begin tomorrow:

  • RESTful API for retrieving PII data will no longer be possible
  • Implement MQTT service limits to secure IoT communications
  • Remove access to PII in UI when transferring device from one account to another
  • Restrict access or remove access to exposed switch ports
  • Fixed Wi-Fi AP tethering mode

Leave a Reply

Your email address will not be published. Required fields are marked *