Who Else Is in That Video Meeting? Maybe a HackerForescout Finds Serious Flaws in DTEN Conferencing Systems
Video conferencing and collaboration systems are must-have tools for enterprises. But new research by Forescout illustrates how poorly implemented security within the systems could lead to massive data leaks.
Elementary security errors within products of DTEN, a San Jose, California-based conferencing developer, could have allow attackers to snoop on meetings and view sensitive documents, Forescout says.
Forescout examined two models of smart screens, DTEN's D5, which is now end of life, and its D7. The screens, which appear to be smart TVs, are integrated with video conferencing software from Zoom and touchscreen features for interactive white boarding.
The devices also have the hardware required for their specialized applications, including microphones, speakers and HD cameras.
Also unique with DTEN's systems is that the D5 and D7 run an embedded Android OS as well as a "tightly integrated Windows 10 component" which runs Zoom Rooms, Forescout writes in a blog post.
Forescout's investigation uncovered five serious vulnerabilities affecting both models using firmware version 1.3.4 and prior.
They found the two models "contained vulnerabilities allowing for a variety of remote, local and physical access attacks that would enable a bad actor to obtain root shell access on the device to potentially listen in and/or watch on a live meeting - or just be stealthily, remotely 'telepresent' in the same room."
Forescout says the company has patched three of the issues, with two more expected this month.
DTEN says after it was notified by Forescout it "immediately commenced a comprehensive audit of our equipment and associated firmware to review and address these issues." It said it released on Thursday a firmware update for its D7 model, 1.3.5, and will release one for the D5 model - version 1.2.3 - on or before Dec. 27.
Open AWS Bucket, No TLS
A feature of DTEN's systems allows for the storage and sharing of documents, such as meeting notes or PDFs. Those files are written to an AWS bucket. Forescout found that DTEN hadn't enabled SSL/TLS to protect those files in transit. That bug, CVE-2019-16274, has been fixed.
Even worse, those files were exposed to the internet because the AWS bucket had no authentication. Modifying the URL allowed for enumeration of the entire bucket, Forescout writes. The flaw, CVE-2019-16270, has been fixed.
"This could have potentially led to the leakage of sensitive information such as organizational charts, brainstorming sessions containing intellectual property, architectural design of new products or even sales pipelines," Forescout writes.
In a related problem, Forescout also found that whiteboard files were saved locally on "an undocumented, unprotected webserver running on the device, making them readily downloadable from anyone on the same network and opening the organization to potential insider threats."
The issue affected D7 touchboards, which runs an Android OS that exposed an unauthenticated web server on port 8080/tcp, Forescout writes. The company has verified that DTEN fixed the problem, CVE-2019-16271, but only for the D7.
"The server contains all saved whiteboards on the device," ForeScout writes. "This allows remote attackers (within the customer network) to connect to the Android IP:8080 to download any saved whiteboard image PDF documents."
More Patches Due Soon
Two outstanding issues haven't been fixed yet, but DTEN plans to issue updates soon, Forescout reports. One involved the Android Debug Bridge, a tool used by developers. DTEN's implementation of it allows for unauthenticated root shell access and thus full power to execute code, Forescout writes.
Forescout found three ways into the Android Debug Bridge, including over physical USB and ethernet ports as well as a wireless interface. DTEN plans to fix that bug (CVE-2019-16273) in the 1.3.4 firmware before the end of the year, the Forescout blog notes.
The other outstanding issue, CVE-2019-16272, involves the Android OS factory settings, which can provide "a covert ability to capture Windows host data including the Zoom meeting content," Forescout says.
Forescout reported all of the issues to DTEN in July and gave the company 90 days to fix the issue before disclosure. It then waited more than a month after that period expired before going public on Tuesday.
For those who have vulnerable devices, patching is somewhat messy. Forescout says those running a D5 or D7 should contact DTEN to get manual firmware updates as well as instructions for how to reflash the devices over USB. DTEN plans to subsequently deliver over-the-air updates after its firmware update to version 1.3.5. That update process will be managed through the Zoom Rooms portal, Forescout writes.