Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices

[updated]Update now! Patch against vulnerabilities in Meeting Owl Pro and Whiteboard Owl devices

After a decent amount of pressure, Owl Labs has finally released updates for vulnerabilities in Meeting Owl, and Whiteboard Owl cameras. The vulnerabilities were reported to Owl Labs in January,

One of the vulnerabilities, CVE-2022-31460has been added to the Known exploited vulnerabilities catalogby the Cybersecurity & Infrastructure Security Agency (CISA) and needs to be updated by June 22, 2022.

Owl Labs

Owl Labs makes 360-degree video conferencing equipment for classrooms and boardrooms. It produces several pieces of hardware, including the Meeting Owl Pro, a speaker fitted with cameras, microphones and an owl-like face, and a whiteboard camera for hybrid meetings.

The research

Researchers at modzeroexamined the Meeting Owl and found serious defects in the built-in security mechanisms.

And these vulnerabilities were not minor. By exploiting the vulnerabilities an attacker could find registered devices, their data, and owners from around the world.

The researchers found the existence of at least four different ways to bypass the PIN protection (passcode), which protects the Owl from unauthorized use.

The vulnerabilities

The Common Vulnerabilities and Exposures (CVE) database is a list of publicly disclosed computer security flaws. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Below you will find the CVEs assigned to the vulnerabilities:

  • CVE-2022-31460: Owl Labs Meeting Owl 5.2.0.15 allows attackers to activate Tethering Mode with hard-coded credentials. The tethering mode turns the Owl into an access point (AP) by creating a new Wi-Fi network while staying connected to the existing Wi-Fi. This basically allows any authorized user to turn the Owl into a rogue access point. A rogue access point by definition constitutes a wireless access point installed on a secure network without explicit authorization from a local network administrator. Hard-coded credentials is where embedded authentication data, like user IDs and passwords, are included the source code of the device.

Passcode bypasses

  • CVE-2022-31463: Owl Labs Meeting Owl 5.2.0.15 does not require a password for Bluetooth commands, because only client-side authentication is used. To extend the range of devices and provide remote control by default Owl Labs uses the Bluetooth functionality. The vulnerability makes it possible for an attacker in proximity to control the devices to the extent that they can disable any set passcode.
  • CVE-2022-31462: Owl Labs Meeting Owl 5.2.0.15 allows attackers to control the device via a backdoor password which can be found in Bluetooth broadcast data. A hardcoded backdoor passcode exists which depends on the serial number of the device. This hardcoded passcode is the SHA-1 hash representation of the devices’ software serial number. The hash is broadcasted as the name of the Owl over Bluetooth Low Energy (BLE). So an attacker in close proximity can simply get hold of the hardcoded backdoor passcode. Also, it is possible to generate all existing serial numbers by a script.
  • CVE-2022-31461: Owl Labs Meeting Owl 5.2.0.15 allows attackers to deactivate the passcode protection mechanism via a certain message from the companion app. An attacker would have to be close enough to the Owl to communicate over BLE to exploit this vulnerability.
  • CVE-2022-31459: Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the SHA1 hash of the passcode over BLE. It is possible to brute-force the passcode from the hash in seconds since it consist only of digits. An attacker with knowledge of the BLE endpoint can use this knowledge to control any Meeting Owl in their proximity.

What is Bluetooth Low Energy (BLE)?

BLE is a Bluetoothprotocol which launched in 2010, especially designed to achieve low power consumption and latency, while at the same time accommodating the widest possible interoperable range of devices. The BLE protocol also does not require paring between the sender and receiver and it can send authenticated unencrypted data.

For those interested, a full disclosure report by modzero is available online.

Slow pokes

Another worrying factor in the report is the timeline of disclosure which gives the impression of an uninterested attitude and unwillingness to fix on the part of Owl Labs. Given the seriousness of the vulnerabilities and the nature of Owl Labs’ clients one might have wished it was treated with more urgency.

The researchers shifted the time of disclosure several times until they were finally fed up with the unresponsiveness of Owl Labs. And only after the vulnerabilities had been disclosed Owl Labs came up with patches for the vulnerabilities. On June 6, 2022, Owl Labs statedthat all high-security issues had been addressed, and said it was in the process of implementing a few additional updates. EarlierOwl Labs said that the likelihood that its customers were affected by these issues is low.

Mitigation

Meeting Owl Pro and Whiteboard Owl will automatically send over the air software updates to Owls that are connected to Wi-Fi and plugged into power over night.

To determine what version of software is on your Owl, follow these steps.

If your Owl’s software is out of date, please follow these instructionsfor how to update your Owl’s software.

We are pretty sure this owl will have a tail and will keep you updated about any developments here.

Update June 30, 2022

The five CVE IDs bulleted below were resolvedas of June 23. Details from Owl Labs on all updates can be found here

  • The Passcode Is Not Required for Bluetooth Command (CVE-2022-31463)
  • Hard Coded Backdoor Passcode (CVE-2022-31462)
  • Deactivation of Passcode Without Authentication (CVE-2022-31461)
  • Passcode-Hash Can Be Retrieved via Bluetooth (CVE-2022-31459)
  • CVE-2022-31460 was resolved on June 6, 2022. 

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.