Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Flaws Found in Evoko Meeting Room Management Devices

Meeting room management devices from Evoko have flaws that can be exploited by malicious actors in attacks aimed at enterprises that use the product, researchers warned.

Meeting room management devices from Evoko have flaws that can be exploited by malicious actors in attacks aimed at enterprises that use the product, researchers warned.

The Evoko Liso product allows the employees of an organization to book meeting rooms from their calendar or by using the touchscreen interface of the device installed at each meeting room’s door. The system is managed, configured and updated via the Evoko Home software.

The product is used by thousands of organizations worldwide, including the U.S. Senate, Microsoft, Verizon, HP, Atos, Coca Cola, Siemens, DHL, Ernst & Young, Philips and McDonald’s.

Researchers at TrueSec performed a three-day analysis of the solution for a client and discovered that it’s affected by many potentially serious vulnerabilities, including ones that can be exploited to remotely hijack the device.Evoko Liso vulnerabilities

One of the flaws allows an attacker who has physical access to the device to boot a custom Linux system from a USB drive and install a backdoor that remains active even after a firmware update. The flaw can be exploited to access sensitive information, including passwords, and to create a reverse shell on the device.

Researchers determined that the device’s firmware upgrade process is also vulnerable. They discovered that while firmware images are encrypted, the encryption key is derived from a hardcoded password, and the firmware update functionality does not include integrity and authenticity checks. The firmware update process is also vulnerable to man-in-the-middle (MitM) attacks.

Malicious actors could also manipulate firmware metadata and file content to exploit an arbitrary file write vulnerability that allows the execution of arbitrary code with root privileges.

An attacker who has access to the device can also break out of the kiosk mode and launch a Chrome browser that is running with root privileges. Once they have access to the browser, a hacker can access sensitive information and execute arbitrary shell commands with root privileges from a JavaScript loaded in the browser.

Experts said hackers can also execute shell commands as root by abusing the device’s Wi-Fi connection menu.

As for the Evoko Home software, researchers determined that an attacker with network access to the application can exploit various flaws to create new admin accounts, send out emails, cause a denial-of-service (DoS) condition, and read arbitrary files on the system.

Experts also said the DDP remote procedure call used between Liso and Home allows unauthenticated connections, which can be exploited by attackers to obtain sensitive information, trigger firmware updates, and send emails.

TrueSec reported its findings to Evoko in late January. The vendor told researchers that most of the issues they reported have been patched in recent releases of its firmware, and steps have been taken to mitigate remaining issues. TrueSec said it could not confirm these claims as the company no longer has access to the tested Evoko Liso devices.

SecurityWeek has reached out to the vendor for comment last week, but the company has not responded.

“The Evoko Liso device is a typical example of embedded equipment that will be connected to a corporate network. These devices contain a full Linux system, but corporate IT admins have very little control over them (due to their encapsulated design and limited interfaces). This leaves most of the security decisions to the device vendors – for application code, operating system and third party libraries,” TrueSec’s Emil Kvarnhammar said in a blog post. “It is crucial that IoT vendors build secure and robust systems, and that the systems can be updated remotely in a secure fashion when new vulnerabilities are discovered.”

Related: Flaw in Fingerprint Access Devices Could Make It Easy to Open Doors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.