Meeting Owl videoconference device used by govs is a security disaster

The Meeting Owl Pro is a videoconference device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than an Amazon Alexa and bear the likeness of a tree owl, are widely used by state and local governments, colleges, and law firms.

A recently published security analysis has concluded the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and administer them. The litany of weaknesses includes:

• The exposure of names, email addresses, IP addresses, and geographic locations of all Meeting Owl Pro users in an online database that can be accessed by anyone with knowledge of how the system works. This data can be exploited to map network topologies or socially engineer or dox employees.
• The device provides anyone with access to it with the interprocess communication channel, or IPC, it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities found during the analysis
• Bluetooth functionality designed to extend the range of devices and provide remote control by default uses no passcode, making it possible for a hacker in proximity to control the devices. Even when a passcode is optionally set, the hacker can disable it without first having to supply it.
• An access point mode that creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization network. By exploiting Wi-Fi or Bluetooth functionalities, an attacker can compromise the Meeting Owl Pro device and then use it as a rogue access point that infiltrates or exfiltrates data or malware into or out of the network.
• Images of captured whiteboard sessions—which are supposed to be available only to meeting participants—could be downloaded by anyone with an understanding of how the system works.

Glaring vulnerabilities remain unpatched

Researchers from modzero, a Switzerland- and Germany-based security consultancy that performs penetration testing, reverse engineering, source-code analysis, and risk assessment for its clients, discovered the threats while conducting an analysis of videoconferencing solutions on behalf of an unnamed customer. The firm first contacted Meeting Owl-maker Owl Labs of Somerville, Massachusetts, in mid-January to privately report their findings. As of the time this post went live on Ars, none of the most glaring vulnerabilities had been fixed, leaving thousands of customer networks at risk.

In a 41-page security disclosure report (PDF) the modzero researchers wrote:

While the operational features of this product line are interesting, modzero does not recommend using these products until effective measures are applied. The network and Bluetooth features cannot be turned off completely. Even a standalone usage, where the Meeting Owl is only acting as a USB camera, is not suggested. Attackers within the proximity range of Bluetooth can activate the network communication and access critical IPC channels.

In a statement, Owl Labs officials wrote:

Owl Labs takes security seriously: We have teams dedicated to implementing ongoing updates to make our Meeting Owls smarter and to fixing security flaws and bugs, with defined processes for pushing out updates to Owl devices.

We release updates monthly, and many of the security concerns highlighted in the original article have already been addressed and will begin rollout next week.

Owl Labs takes these vulnerabilities seriously. To the best of our knowledge, there have never been any customer security breaches. We have either already addressed, or are in the process of addressing other points raised in the research report.

Below are the specific updates we are making to address security vulnerabilities, which will be available in June 2022 and implemented starting tomorrow:

• RESTful API to retrieve PII data will no longer be possible
• Implement MQTT service restrictions to secure IoT comms
• Removing access to PII from a previous owner in the UI when transferring a device from one account to another
• Limiting access or removing access to switchboard port exposure
• Fix for Wi-Fi AP tethering mode

Cute face and a range of capabilities

The Meeting Owl provides a range of capabilities, including the ability to work as a standalone webcam, two or more webcams that connect through Bluetooth, or a Wi-Fi access point. In addition to the device with the distinctive Owl face, the Meeting Owl Pro also includes a companion app for iOS or Android, which can be used to administer devices inside the network of the organization using it. Customers can also use an account on the Owl Labs website to monitor and control devices.

Government agencies, colleges, and other organizations have heavily promoted Meeting Owls as a means for hosting meetings that otherwise wouldn't be possible during the pandemic.

Credit: Northern Illinois University

Credit: CalTech

A system overview is directly below, and below that is a diagram of the internal communications:

Credit: modzero

Credit: modzero

A literal road map for would-be hackers

As modzero dug into the device features, it quickly discovered that the details customers enter during the enrollment phase and the most recent connections that follow are stored in a database hosted on the Internet. No password is required to access the data. Instead, all that’s needed is a valid Meeting Owl serial number. The researchers developed a script that automatically presented the database with every possible serial number. The server, the researchers said, responded with details for each one that had been registered.

“By exploiting the vulnerabilities we found during our analysis, an attacker can find registered devices, their data, and owners from around the world,” the researchers wrote in a short post. “Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches.”

Combined with other weaknesses, the lack of authentication exposes networks to serious risk. One result is maps like the one below, which show the recent locations of real users. When combined with the users’ identities, IP numbers, and other details, the data provides a literal road map for would-be hackers who can then mount attacks over the Internet or through proximity attacks that exploit the Bluetooth flaws to take control of a Meeting Owl and use it to burrow into the network it's connected to.