Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Many Vulnerabilities Found in Wireless Presentation Devices

Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.

Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.

Wireless presentation systems make it easier for users to display content on a screen or through a projector from laptops and mobile devices. They are often used in enterprises and educational organizations.

The security holes were discovered during the analysis of Crestron AirMedia AM-100 and AM-101 products, but it turned out that these devices shared code with presentation systems from several other vendors. As a result, some of the 15 flaws also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly products from other vendors. Barco appears to be the OEM for some of these devices.

Wireless presentation systems vulnerable to hacker attacksThe vulnerabilities, some of which have been classified as “critical,” include issues that can be exploited for command injection and for gaining unauthorized access to a device.

Several of the flaws allow a remote, unauthenticated attacker to inject operating system commands, while others can be exploited remotely without authentication to change admin and moderator passwords, view presentations, bypass authentication with a hardcoded session ID, hijack moderator controls and start or stop screen-sharing sessions, and cause a denial-of-service (DoS) condition.

Tenable also uncovered default administrator passwords and credentials stored in plain text (accessible to authenticated users).

A Shodan search showed hundreds of internet-exposed Crestron AirMedia devices, mostly located in the United States and Canada and mostly used by universities. Jacob Baines, the Tenable researcher credited for finding the flaws, said he had identified over 100 different universities in North America that exposed these devices to the internet.

Tenable started reporting the flaws to impacted vendors in mid-January and the companies have been given 90 days to release patches. Crestron told Tenable that it had been aware of 8 of the vulnerabilities and it had been working on fixes. However, at the time of the cybersecurity firm’s disclosure, only Extron and Barco appeared to have released firmware updates. Crestron’s website indicates that the AM-100 and AM-101 products have been discontinued.

Until patches become available, users can reduce the risk of attacks by ensuring that these systems are not exposed to the internet.

Internet of Things (IoT) devices are often targeted by cybercriminals so it’s important that users install patches and implement mitigations. In fact, the Barco wePresent WiPG-1000 product, which is covered by Tenable’s research, has been targeted by the notorious Mirai botnet.

Related: P2P Flaws Expose Millions of IoT Devices to Remote Attacks

Related: Why it’s So Hard to Implement IoT Security

Related: Mozilla, Others Want Big Retailers to Pledge Minimum IoT Security

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.