2022-05-31

[EN] hoot hoot pwn

As part of an analysis of video conference solutions for a customer, we examined the Meeting Owl. The Meeting Owl is a smart, owl-shaped 360-degree video conference camera that is intended for use in companies and educational institutions.

Produkt Bild
Meeting Owl Pro. Source: https://owllabs.de/products/meeting-owl-pro

To use the owl, it must be connected to a computer via USB. Additionally, an app for iOS and Android, as well as a web interface for configuration and administration is provided. Although the device made a good first impression due to its appealing design and usability, the analysis revealed serious defects in the built-in security mechanisms.

Find Meeting Owls near you!!

By exploiting the vulnerabilities we found during our analysis, an attacker can find registered devices, their data, and owners from around the world. Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches.

owl distribution map
Some real Meeting Owl device locations across the world.

The map above was generated based on publicly available data which was also disclosed to Owl Labs.

Whiteboard Image
One of many whiteboard recordings that we were able to access via the Internet.

The details of these and other security vulnerabilities can be found in our detailed report (PDF).

Conclusion

According to our analysis described above, the Meeting Owl is currently everything but safe.
After we reported the weaknesses to the manufacturer, we only got feedback after contacting the American Cybersecurity and Infrastructure Security Agency, CISA. However, expanding your infrastructure with startup-technology may put your information security at risk. Sometimes it is useful, to examine the new technologies first before they are used in private and critical environments. Without such an assessment, unnoticed security risks can occur to the corporate or private network and its systems.

Disclosure Timeline

On 01/19/2022 we tried to contact the security officers at Owl Labs for the first time, unfortunately without success. On 02/01/2022 we tried again. Furthermore, on 02/09/2022 we contacted the German Bundesamt für Sicherheit in der Informtionstechnik (BSI) for further clarification with the American authority CISA. We received an answer from Owl Labs on 02/17/2022, after reporting to CISA.
After we asked for a timeline or roadmap, Owl Labs told us on 03/14/2022, that they will roll out updates starting next week, and that all vulnerabilities will be remediated by mid-May.
Until today, several update have been published by Owl Labs. According to a quick inspection, there are still open security issues and weaknesses, thus we postpone the release of our tools for another four weeks.

Our disclosure policy has been submitted to Owl Labs and is available here (PDF).


Posted by modzero | Permanent link | File under: modzero, security, software, hacking, exploit, advisory