Originally published at: https://boingboing.net/2019/12/17/no-ssl.html
Idiotic security mistakes in smart conferencing gear allows hackers to spy on board rooms, steal presentations
Originally published at: https://boingboing.net/2019/12/17/no-ssl.html
If you ever had seen any of my presentations, you wouldn’t want them.
We use an Owl video-conference phone in our department meetings, but it made no image last week. It appears that someone dropped the poor owl on its head and broke its very expensive eyeball.
Storing customer data in unsecured Amazon web buckets
This one drives me nuts, and I see it again and again in these stories. The default setting for Amazon buckets is secure and protected. You have to deliberately turn security off to make this happen.
But there are two?
The ones on the front are just bio-mimetic observer affect modulators. Effective for triggering human responses to eyes and faces but otherwise functionally irrelevant.
The camera(s, I think) on these things lives under the lens on top, to give it a 360 degree view of the room, with the firmware doing the necessary adjustment so it doesn’t look like your new conference room was installed inside an event horizon.
The firmware also adds a little ‘owl’ watermark to your video; because apparently refusing to stop shoving the vendor’s logo in your eye even after being paid $700 for the hardware is how progress works now.
I may, admittedly, be speaking from a position of slight bitterness that they had the guts to call something the “meeting owl pro” and market it as a videoconferencing solution; while requiring wifi for firmware updates(and who knows what other chatter to the mothership); and not even supporting WPA enterprise networks.. Hey, how about you just have your IT team set up a WPA PSK for ‘IoT devices to live on’; because we’re too trendy to bother supporting anything better; or, y’know, USB DFU, the handy standard for USB devices that need to update their firmware.
Going by the report it appears that the vendor couldn’t be bothered to undo any of the lazy least effort configurations that decent people feel at least a bit ashamed of during prototyping and debugging prior to release.
AWS bucket wide open, cleartext HTTP for chatting with other Amazon services, unauthenticated web server running on the embedded android component, unauthenticated ADB, including root shell access, listening on USB and wired and wireless NICs, full stock Android ‘settings’ app included.
I shudder to think what they would find if they started poking it at the level of actual exploits rather than just wandering in through doors left unlocked and wide open; this doesn’t seem like the work of people who sanitize their inputs rigorously, to put it mildly.
My favorite part is the…friendly…advice for the vendor that the researchers provide: Maybe the sticker can be used as a dressing until they can reach the burn ward?
Too many offices throw everything on the same WPA2 PSK network imo
Thanks for the detailed reply to a, looking back, flippant joke
Actually found that to be downright snarky and unprofessional. Should have gone into a footnote, at best.
My favorite part is how it took DTEN almost two months after responding to fix the open S3 buckets. Says to me that functionality was built deep into the product and the public bucket couldn’t be just disabled. Rather, firmware needed to be patched to work with a non-public bucket. Therefore, my conclusion would be bog standard sloppy development -i.e. move fast and break things. Where instead of using auth tokens and cryptographic access to storage the dev team made their job a whole lot easier and dev cycle faster by cutting some critical corners … which means there’s no sec in their devsecops and no in-house auditing of product security. Not a good look for DTEN.
That(aside from the fact that a USB camera that lacks any network features aside from the utter inability to update firmware without letting it phone home; or configure it beyond defaults without the janky ‘it acts as an AP; download the app and then connect to the AP with an SSID matching the sticker on yours’ configuration interface); is part of why I find the “eh, just get the nerds to make a friendly network for your IoT pals!” advice so obnoxious.
PSKs are, inevitably, over-shared secrets; and if a product relies on PSK it’s a great bet that there’s no way to rotate keys without slogging around the place manually, which helps assure that the key will basically never get changed(and probably be a fairly weak password, because some device with a 1-line LCD and about 5 buttons will require you to type it in the hard way); which makes them little more than open networks with enough false sense of security that people worry less about how vulnerable and chatty the devices on them often are.
General considerations aside, I think the meeting owl embitters me particularly because it squanders so much out of either apathy or overt embrace of the grimmer trends in consumer technology design; when it could actually be really solid at what it does.
The ‘single fairly extreme lens+image processing witchcraft’ approach does do a good job of getting a 360 degree view without putting a tower 'o cameras in the middle of the table; and the device is pretty decent at identifying speakers/participant movement and stitching it together while snipping out superfluous chunks of empty seat to make more room for those present; at it’s core functions it’s quite solid.
And then the pointless and/or depraved own goals start piling up.
Someone sufficiently focused on The Brand that every conference I use the hardware in now looks like I used a shareware copy of FreeTubeRippr somewhere in the production chain? Apparently so; because the authentic watermark experience is exciting and mandatory.
Someone decides that it just must have wifi as the only option for a number of capabilities; but apparently can’t be bothered to support network types that were added back in Android 4.3/API 18/Jelly Bean(no doubt a crushing burden for a device built around a Snapdragon 410)? That’s progress.
It just seems so gratuitous. If the thing just sat back and did its job; at which it’s actually pretty competent; I’d be inclined to view it fairly favorably. But apparently just delivering solid execution of a good concept is far too pedestrian.
This, I suspect, is why the successor “Meeting Owl Pro” isn’t satisfied with lame improvements like a better camera, speakers, and mic; but promises
“By adding a Meeting Owl Pro to any conference room, your space is now equipped to become a Smart Meeting Room. Powered by the Meeting Owl Pro’s enhanced Owl Intelligence System™, customers can expect a growing ecosystem of smart features and applications to help your team be even more productive.”
Thanks, future, I always wanted my webcam to have a nebulous and proprietary ‘ecosystem’ growing in it.
Have I passed irrevocably into “old man yells at cloud” territory?
I’d agree on that; just not on the implication that it’s a bad thing.
If the system being evaluated is being evaluated because its owner is your client and requested your services for the purpose; then, sure, I’m entirely on board with giving them a completely straight faced, sincere; and wholly diplomatic set of assessments, metrics, prioritized improvement/remediation/best practice items; etc.
If you are evaluating a system on your own account, though, the system’s owner/vendor isn’t your client, yours is not a professional relationship(indeed, if you are putting it up on your website the performative element suggests that either you are looking to turn the screws on the system owner to get it fixed; or that you see the audience as at least potential clients, more so than the system owner); and the world is just frankly so full of astonishing head/desk material that snide sarcasm seems like a quite sensible coping mechanism.
I could understand being irked if you paid for a pen test and got back a report to the effect that u got 0wn3d n00b, lol; rather than an actual assessment; but trying to impose ‘professional’ standards on independent 3rd parties is starting to edge into the same territory as being genuinely offended that journalists are so rude as to not necessarily be willing to act as your PR team.
Didn’t say I was offended nor was that the intended implication. Just stated that it was snarky and unprofessional. I don’t care who the client or audience is, you put a note like that in a report and it makes you look bad. The report speaks for itself without the snark. From what I understand Forescout has adopted a very adversarial relationship with vendors. Again, not a judgement, implication, or opinion, just an observation.
This topic was automatically closed after 5 days. New replies are no longer allowed.