Meeting Owl Pro is a video conferencing device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make the meeting dynamic and inclusive. than. The consoles, which are slightly taller than Amazon Alexa and bear the shape of a tree owl, are widely used by local governments, colleges and law firms.
A recently published security analysis concluded that these devices pose an unacceptable risk to the networks they connect to and the personal information of those who subscribe to and manage them. Signs of weakness include:
- Displaying the names, email addresses, IP addresses, and geo-locations of all Meeting Owl Pro users in an online database accessible to anyone with knowledge of how the system works accessible. This data can be mined to map the network topology or social engineer or dox worker.
- The device provides anyone with access to it with communication channel between processesor IPC, it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers exploiting some of the vulnerabilities found during the analysis.
- The Bluetooth functionality is designed to extend the device range and provide remote control by default that doesn’t use a passcode, making it possible for a nearby hacker to take control of the device. Even if the passcode is set optional, hackers can disable it without having to provide it first.
- Access point mode creates a new Wi-Fi SSID while using its own SSID to stay connected to the organization network. By exploiting Wi-Fi or Bluetooth functions, an attacker could compromise a Meeting Owl Pro device, then use it as a rogue access point to infiltrate or dump data or software maliciously entering or leaving the network.
- Images of captured whiteboard sessions — supposedly for meeting participants only — can be downloaded by anyone with an understanding of how the system works.
The security holes are still not patched
Researchers from modzero, a security consulting firm based in Switzerland and Germany that performs penetration testing, reverse engineering, source code analysis, and risk assessment for its clients, have discovered threats while conducting analysis of video conferencing solutions on behalf of an unnamed client. The company first contacted Owl Labs, the makers of Meeting Owl in Somerville, Massachusetts, in mid-January to separately report their findings. As of the time this post appeared on Ars, none of the most obvious vulnerabilities had been fixed, putting thousands of customer networks at risk.
In 41 pages security disclosure report (PDF) modzero researchers wrote:
While the performance features of this product line are interesting, modzero does not recommend using these products until effective measures have been taken. Network and Bluetooth features cannot be turned off completely. Even standalone use, where the Meeting Owl acts only as a USB camera, is not recommended. Attackers within Bluetooth’s close range can enable network communication and access critical IPC channels.
In a statement, Owl Labs officials wrote:
Owl Labs takes security seriously: We have dedicated teams deploying continuous updates to make our Owl smarter and fix bugs and security flaws, with defined processes to issue updates to Owl devices.
We release monthly updates and many of the security concerns raised in the original post have been addressed and will begin rolling out next week.
Owl Labs takes these vulnerabilities seriously. To the best of our knowledge, there has never been any breach of customer security. We have addressed or are in the process of addressing other points raised in the research report.
Here are the specific updates we’re working on to address the vulnerabilities, which will be available in June 2022 and are rolling out starting tomorrow:
- RESTful API to retrieve PII data won’t be possible anymore
- Implement MQTT service restrictions to secure IoT connections
- Remove PII access from previous owner in UI when transferring device from one account to another
- Restrict access or remove exposed access to the switchboard portal
- Fix for Wi-Fi AP tethering mode