The Meeting Owl Pro is a video conferencing device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make meetings more dynamic and inclusive. The consoles, which are slightly larger than an Amazon Alexa and resemble a tree owl, are widely used by state and local governments, colleges and law firms.
A recently published security analysis concluded that the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and manage them. The litany of weaknesses includes:
- The disclosure of names, email addresses, IP addresses and geographic locations of all Meeting Owl Pro users in an online database accessible to anyone who understands how the system works. This data can be used to map network topologies or social engineer or dox employees.
- The device provides anyone with access to it with the interprocess communication channel, or IPC, that it uses to communicate with other devices on the network. This information can be misused by malicious insiders or hackers who exploit some of the vulnerabilities found during the analysis
- Bluetooth functionality designed to extend the range of devices and provide standard remote control uses no passcode, allowing a nearby hacker to control the devices. Even when a passcode is optionally set, the hacker can disable it without having to enter it first.
- An access point mode that creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization network. By taking advantage of Wi-Fi or Bluetooth features, an attacker can penetrate the Meeting Owl Pro device and then use it as a rogue access point that infiltrates or exfiltrates data or malware in or out of the network.
- Images of recorded whiteboard sessions – which should only be available to meeting participants – can be downloaded by anyone who knows how the system works.
High-profile vulnerabilities remain unpatched
Researchers at modzero, a Swiss and Germany-based security consultancy that performs penetration testing, reverse engineering, source code analysis and risk assessment for its clients, discovered the threats while conducting analysis of video conferencing solutions on behalf of an unnamed client. The company first contacted Meeting Owl maker Owl Labs of Somerville, Massachusetts in mid-January to report their findings privately. By the time this post went live on Ars, none of the most glaring vulnerabilities had been fixed, leaving thousands of customer networks at risk.
In a 41-page security report (PDF), the modzero researchers wrote:
While the operational features of this product line are interesting, modzero does not recommend the use of these products until effective measures are in place. The network and Bluetooth functions cannot be turned off completely. Even a stand-alone use, where the Meeting Owl only acts as a USB camera, is not recommended. Attackers within Bluetooth range can activate network communications and gain access to critical IPC channels.
In a statement, Owl Labs officials wrote:
Owl Labs takes security seriously: we have teams dedicated to deploying continuous updates to make our Meeting Owls smarter and to fix security flaws and bugs, with defined processes for pushing updates to Owl devices.
We release monthly updates and many of the security vulnerabilities highlighted in the original article have already been addressed and will be rolled out next week.
Owl Labs takes these vulnerabilities seriously. To our knowledge, there have never been any breaches of customer security. We have already addressed other points raised in the research report, or are in the process of addressing other points.
Below are the specific updates we are making to address security vulnerabilities, which will be available in June 2022 and rolling out tomorrow:
- RESTful API to retrieve PII data is no longer possible
- Implement MQTT service restrictions to secure IoT communications
- Remove access to PII from a previous owner in the UI when transferring a device from one account to another
- Restrict or revoke access to switchboard ports
- Fix for Wi-Fi AP tethering mode