Meeting Owl security vulnerabilities report raises concerns
Security vulnerabilities affecting The Meeting Owl 360-degree video conferencing device have been discovered by Swiss security analysts Modzero AG.
The vulnerabilities were first reported online by Ars Technica under the title “The Meeting Owl video conferencing device used by governments is a security disaster“.
According to the Modzero report, the vulnerabilities allowed an attacker to find registered devices, their data, and their owners around the world. Attackers could also access confidential whiteboard screenshots or use the owl to gain access to the owner’s network. PIN protection, which protects the owl against unauthorized use, could also be circumvented using four different approaches.
In his Security Disclosure Report, Modzero said it first contacted Meeting Owl vendor Owl Labs in January and did not recommend the devices for use until all bugs were fixed.
In a blog post on Meeting Owl security vulnerabilitiesAustrian consultant Harald Steindl wrote:It’s really no secret that many audio/video products don’t take the issue of computer security very seriously. These security flaws in video conferencing products can have dramatic repercussions… unencrypted web interfaces (only http instead of https), no obligation to secure passwords, dubious network protocols, etc. The list seems endless. However, what American manufacturer Owl Labs has achieved is hard to beat. Five serious vulnerabilities have been identified in the CVE list, the international directory of computer security vulnerabilities.
In a response to AV Magazine, Owl Labs said. “All identified high priority security issues were resolved in March 2022, and with two global software releases that occurred on 6.3.22 and 6.6.2022.
“These updates include:
- Pausing the Whiteboard Owl Save & Share feature and permanently deleting all data (March 2022)
- RESTful API to retrieve PII data will no longer be possible
- Implement MQTT service restrictions to secure IoT communications
- Removed access to a previous owner’s personal information in the UI when transferring a device from one account to another
- Limit access or remove access to standard port exposure
- Disable passthrough of network traffic in Wi-Fi AP connection mode so that the Meeting Owl cannot be used as a wireless access point (reference CVE-2022-31460).
“Upcoming updates will address associated CVE IDs, which are tied to the Meeting Owl Pro PIN (referred to here as Access Code):
- Password is not required for Bluetooth command (CVE-2022-31463)
- Hardcoded secret backdoor code (CVE-2022-31462)
- Disable password without authentication (CVE-2022-31461)
- Password hash can be retrieved over Bluetooth (CVE-2022-31459)
“To be clear, once the latest software version is applied, there is no risk of unauthorized network access due to the above CVEs. Owl PIN issues are low risk and would allow someone only access default meeting settings per meeting (eg presenter enhancement, 360 degree panning on/off) and would require them to be within Bluetooth range We plan to fix the above issues by June 28 and will let you know once completed.