Connect with us

Hi, what are you looking for?



CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws

CISA has removed from its KEV catalog five Owl Labs video conferencing flaws that require the attacker to be in Bluetooth range.

Video conferencing vulnerabilities

The US cybersecurity agency CISA has removed several Owl Labs product flaws from its Known Exploited Vulnerabilities (KEV) Catalog after SecurityWeek privately called into question its decision.

In mid-September, CISA added to its KEV catalog four vulnerabilities affecting Owl Labs’ Meeting Owl smart video conferencing product, a device shaped like an owl that features a 360° conference camera, a mic, and a speaker. Another Meeting Owl flaw was previously added to the KEV list. 

The Meeting Owl vulnerabilities, discovered last year by researchers at Swiss cybersecurity firm Modzero, include inadequate encryption, hardcoded credentials, missing authentication, and improper authentication issues. An attacker can use them to take control of the targeted Meeting Owl device and turn it into a rogue access point, but exploitation would require an attacker to be in Bluetooth range of the targeted Meeting Owl device. 

CISA announced this week that it has removed the Meeting Owl vulnerabilities, citing insufficient evidence of exploitation.

“CISA is continually collaborating with partners across government and the private sector. As a result of this collaboration, CISA has concluded that there is insufficient evidence to keep the [five Meeting Owl] CVEs in the catalog and has removed them,” the agency said.

When the vulnerabilities were added to the KEV list, SecurityWeek reached out to both CISA and the vendor for confirmation of malicious exploitation, given that there were no public reports about exploitation and the fact that the vulnerabilities seemed unlikely to be considered useful by threat actors as they require the attacker to be in Bluetooth range. Malicious hackers exploiting vulnerabilities via Bluetooth is — as far as we know — unheard of. 

However, when faced with similar inquiries in the past, CISA insisted that only flaws for which it has reliable evidence of exploitation in the wild are added to the KEV catalog. In this case, it would have meant that the vulnerabilities were likely exploited by a highly motivated and sophisticated attacker as part of a targeted espionage campaign rather than as part of opportunistic operations.  

CISA has still not responded to SecurityWeek’s inquiry. When contacted in mid-September, Owl Labs’ response suggested that the company had not been aware of any attacks. The vendor informed SecurityWeek of CISA’s decision to remove the CVEs from its catalog on Thursday, but did not say why the cybersecurity agency thought the vulnerabilities were exploited. 

When the flaws were added to the KEV catalog, Tenable’s Ben Smith noted in a blog post, “I’m not currently aware of any [Bluetooth Low Energy (BLE)] vulnerabilities actually exploited in the wild. I’m also not aware of any malware that contains Bluetooth or BLE functionality. Evidence would probably look like either logs from the device or a sample of the malware with this capability. If this is true, it likely marks the first time we have such evidence of exploitation of BLE vulnerabilities.”

Advertisement. Scroll to continue reading.

Smith explained at the time that there are two primary paths for exploiting these types of vulnerabilities: by directly targeting a device from close range via Bluetooth or by using a remotely compromised device that is in the target’s vicinity. 

A Bluetooth attack can theoretically be launched from up to 330 feet in the case of the Owl Labs device, which could possibly be achieved in some scenarios from a parking lot or sidewalk near the building housing the targeted device. In the scenario involving a compromised device, it’s not easy to achieve.

“Attackers could use BLE enumeration apps or install command-line tools like hcitool or gatttool to dive deeper into BLE exploration, but these are not installed by default on most laptops or mobile devices. So, malware wanting to exploit BLE vulnerabilities in a remote device would need to include such capabilities or an attacker would need to write some code to use BLE APIs exposed on the compromised device. These vary across operating systems and architectures,” Smith explained. 

Related: Faster Patching Pace Validates CISA’s KEV Catalog Initiative

Related: CISA Unveils New HBOM Framework to Track Hardware Components

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.