The Meeting Owl Pro is a video conferencing device with an array of cameras and microphones that captures 360 degree video and audio and automatically focuses on the person speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than an Amazon Alexa and resemble a tree owl, are widely used by state and local governments, colleges and law firms.
A recently released security analysis concluded that the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and administer them. The Litany of Weaknesses includes:
- Exposing the names, email addresses, IP addresses, and geographic locations of all Meeting Owl Pro users in an online database accessible to anyone familiar with the operation of the system. This data can be leveraged to map network topologies or do social engineering or dox employees.
- The device allows anyone to access it with the interprocess communication channel, or IPC, which it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities found during the scan
- Bluetooth functionality designed to extend the range of devices and provide remote control by default uses no passwords, allowing a nearby hacker to control devices. Even when a password is optionally set, the hacker can disable it without having to provide it first.
- A hotspot mode that creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization’s network. By exploiting Wi-Fi or Bluetooth capabilities, an attacker can compromise the Meeting Owl Pro device and then use it as a malicious access point that infiltrates or exfiltrates data or malware into or out of the network.
- Images of captured whiteboard sessions – which are meant to be available only to meeting participants – can be downloaded by anyone with an understanding of how the system works.
Glaring vulnerabilities remain unpatched
Researchers from modzero, a Swiss and Germany-based security consultancy that performs penetration testing, reverse engineering, source code analysis and risk assessment for its clients, discovered the threats by performing an analysis of video conferencing solutions on behalf of an anonymous client. The company first contacted Owl Labs, the maker of Meeting Owl, of Somerville, Mass., in mid-January to share its findings privately. At the time this post went live on Ars, none of the more egregious vulnerabilities had been patched, leaving thousands of customer networks at risk.
In a 41-page security disclosure report (PDF), modzero researchers wrote:
Although the operational characteristics of this product line are interesting, modzero does not recommend using these products until effective measures are applied. Network and Bluetooth functions cannot be completely disabled. Even standalone use, where the Meeting Owl only acts as a USB camera, is not suggested. Attackers near Bluetooth can enable network communication and gain access to critical IPC channels.
In a statement, Owl Labs officials wrote:
Owl Labs takes security seriously: we have teams dedicated to implementing continuous updates to make our Meeting Owls smarter and fixing security vulnerabilities and bugs, with defined processes for releasing updates. up-to-date on Owl devices.
We release updates monthly, and many of the security issues highlighted in the original article have already been fixed and will begin rolling out next week.
Owl Labs takes these vulnerabilities seriously. To our knowledge, there has never been a breach of customer security. We have already addressed or are in the process of addressing other points raised in the research report.
Below are the specific updates we are making to address security vulnerabilities, which will be available in June 2022 and implemented starting tomorrow:
- RESTful API to retrieve PII data will no longer be possible
- Implement MQTT service restrictions to secure IoT communications
- Removed access to a previous owner’s personal information in the UI when transferring a device from one account to another
- Limit access or remove access to standard port exposure
- Fix Wi-Fi AP connection mode