Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Owl Labs Patches Severe Vulnerability in Video Conferencing Devices

Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices.

Owl Labs’ Meeting Owl Pro features a 360° lens camera to offer a panoramic view of the conference room. It offers support for various video conferencing solutions, including Zoom, Skype, and Google Meet.

Video conferencing company Owl Labs has released patches for a severe vulnerability affecting its Meeting Owl Pro and Whiteboard Owl devices.

Owl Labs’ Meeting Owl Pro features a 360° lens camera to offer a panoramic view of the conference room. It offers support for various video conferencing solutions, including Zoom, Skype, and Google Meet.

Security researchers with Modzero have identified multiple vulnerabilities in Owl’s devices, warning that they could be exploited to find registered devices worldwide and access sensitive data, or even gain access to the owners’ networks.

The researchers discovered five vulnerabilities in Meeting Owl Pro: CVE-2022-31459, CVE-2022-31460, CVE-2022-31461 (CVSS score of 7.4), CVE-2022-31463 (CVSS score of 8.2), and CVE-2022-31462 (CVSS score of 9.3).

All of these issues, the researchers say, are related to hardcoded credentials – Meeting Owl Pro creates its own Wi-Fi access point with the hardcoded passcode “hoothoot” – and impact the communication between the Meeting Owl Pro device and its companion application and backend server, as well as the web apps used for managing Meeting Owl devices.

On Monday, Owl Labs announced the availability of patches for CVE-2022-31460, a high-severity bug that allows an attacker within Bluetooth range to turn the Meeting Owl device into a rogue access point to the owner’s network.

The issue exists because, when in AP mode, the device remains connected to the Wi-Fi network and routes all traffic to the network instead of allowing only connections to the Owl itself, Modzero explains. The vulnerability can be exploited without authentication.

On Monday, Owl Labs announced firmware version 5.4.1.4 for both Meeting Owl Pro and Whiteboard Owl, to disable “the passthrough of networking traffic in Wi-Fi AP tethering mode,” thus preventing the use of these devices as wireless access points.

The remaining flaws, the company says, are expected to be resolved with future updates. The company also notes that all devices should be protected against potential exploitation attempts once updated to 5.4.1.4.

“To be clear, once software version 5.4.1.4 is applied, there is no risk of unauthorized network access due to the above CVEs. The Owl PIN issues are low risk and would allow someone to access per-meeting default-meeting settings only (for example: Presenter Enhance, 360-degree Pano on/off), and require them to be within Bluetooth range,” the company said.

The unresolved issues expose the device’s internal Switchboard (allowing an attacker to perform actions supported by the companion app), and allow for access to Bluetooth-exposed functionality without authentication and for the deactivation of the passcode without authentication.

The most severe of these issues, CVE-2022-31462, is the presence of a hardcoded backdoor passcode that “can be calculated from information that is visible in Bluetooth Low Energy proximity range.”

This hardcoded passcode “is the SHA-1 has representation of the devices’ software serial, which is broadcasted as the name of the Owl over Bluetooth,” the researchers explain.

On Tuesday, the US Cybersecurity and Infrastructure Security Agency (CISA) encouraged Owl device owners to update to firmware version 5.4.1.4.

“Owl Labs has released security updates to address a vulnerability (CVE-2022-31460) in Meeting Owl Pro and Whiteboard Owl. An attacker could exploit this vulnerability to obtain sensitive information,” CISA said.

Related: Technical Details Released for Recently Patched Zyxel Firewall Vulnerabilities

Related: CISA Warns of Critical Vulnerabilities in Illumina Genetic Analysis Devices

Related: NSA Informs Cisco of Vulnerability Exposing Nexus Switches to DoS Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet