Meeting an owl video conferencing device used by referees is a security disaster

Meeting an owl video conferencing device used by referees is a security disaster

Owl Labs

The Meeting Owl Pro is a video conferencing device with an array of cameras and microphones that capture 360-degree video and audio and automatically focus on who’s speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than Amazon Alexa and bear the likeness of a tree owl, are widely used by state and local governments, colleges, and law firms.

A recently published security analysis concluded that the devices pose an unacceptable risk to the networks you connect to and the personal information of those who register and manage them. The set of weaknesses includes:

  • Disclose the names, email addresses, IP addresses and geolocations of all Meeting Owl Pro users in an online database that can be accessed by anyone with knowledge of how the system works. This data can be exploited to map network topologies, social engineer, or dox employees.
  • The device provides anyone with access to it with an extension inter-process communication channel, or IPC, is used to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some vulnerabilities found during the analysis.
  • The Bluetooth function designed to extend the range of devices and provide remote control virtually does not use any passcode, making it possible for a hacker in close proximity to control the devices. Even if an optional passcode is set, a hacker can disable it without having to provide it first.
  • Access Point Mode creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization’s network. By exploiting Wi-Fi or Bluetooth functionality, an attacker can hack a Meeting Owl Pro device and then use it as a phishing access point to infiltrate or infiltrate data or malware inside or outside the network.
  • Images of captured whiteboard sessions—which are meant to be available only to meeting participants—can be downloaded by anyone with an understanding of how the system works.

The glaring vulnerabilities remain uncorrected

Researchers from modzero, a Switzerland and Germany-based security consulting firm that conducts penetration testing, reverse engineering, source code analysis and risk assessment for its clients, discovered the threats while performing an analysis of video conferencing solutions on behalf of an unnamed client. The company first contacted meeting maker Owl-Maker Owl Labs in Somerville, Massachusetts, in mid-January to report on their findings. As of the time this post was published on Ars, none of the most obvious vulnerabilities have been fixed, leaving thousands of customer networks at risk.

in 41 pages Security Disclosure Report (PDF) modzero researchers wrote:

While the operational features of this product line are interesting, modzero does not recommend the use of these products until effective measures are in place. Network and Bluetooth features cannot be turned off completely. Even standalone use, where the Meeting Owl serves as a USB cam only, is not suggested. Attackers within close range of Bluetooth can activate a network connection and gain access to critical IPC channels.

In a statement, Owl Labs officials wrote:

Owl Labs takes security seriously: We have teams dedicated to implementing continuous updates to make our meeting pom smarter and to fix security flaws and bugs, with specific processes to push updates to Owl devices.

We release updates monthly, and many of the security concerns outlined in the original article have already been addressed and will begin rolling out next week.

Owl Labs takes these vulnerabilities very seriously. To our knowledge, there has been no breach of customer security. We have either already addressed or are in the process of addressing the other points raised in the research report.

Here are the specific updates we’re making to address the vulnerabilities, which will be available in June 2022 and will be implemented as of tomorrow:

  • RESTful API to retrieve PII data will no longer be possible
  • Apply MQTT service restrictions to secure IoT connections
  • Remove PII access from a previous owner in the user interface when moving a device from one account to another
  • Restrict access or remove exposure access to the switchboard port
  • Fix for Wi-Fi AP Tethering Mode