Owl Labs, an organization that deals in video conferencing, has announced severe exposure to its devices, including the Whiteboard Owl and Meeting Owl Pro. These two softwares allow people to set up important meetings regardless of where their team is located. Users can share documents, e-mails, chat and even conduct real-time polls. They can also record sessions.
The company claims that more than 1OO people use the software worldwide. While this may be true, many of those individuals use the free version of the product, which does not contain security patches.
Recently, Modzero, a Swiss- and German-based security firm that conducts penetration tests, and risk assessments for companies and government agencies, discovered vulnerabilities in its Owl’s tools. They discovered that the exposure can allow hackers to access user accounts and steal sensitive data.
The research team discovered the vulnerabilities while analyzing video conferencing solutions on behalf of a client. While working through a list of vendors, they noticed many products with similar functionality that looked like they might be vulnerable.
As a result, the organization decided to mount a 360° lens to its tool, Meeting Owl Pro, to view the conference area, to have a clear view of the situation. Various conference solutions such as Google meet, Zoom, and Skype get support from the device.
According to the study, Meeting Owl Pro had five exposures:
(CVSS score of 9.3), (CVSS score of 7.4), CVE-2022-31459, (CVSS score of 8.2), CVE-2022-31461, CVE-2022-31460CVE-2022-31463 and CVE-2022-31462,
The researchers believe the above issues relate to hardcoded commands. This means the passcodes help Meeting Owl Pro create a unique Wi-Fi spot. That affects all other web apps that manage Meeting Owl gadgets.
Modzero believes all traffic is directed to the network when the device is in AP mode but not to the Owl itself. That happens because the tool stays connected to the WIFI. Thus, the issue continues, and the exposure can work without validation.
Owl Labs published the existence of CVE-2022-31460 patches on Monday. Using Bluetooth capability, attackers can use this harmful bug to manipulate the tool and change it into a destructive owner’s network access spot.
On the same day, the company announced the software version 5.4.1.4. The model belongs to the two tools, Whiteboard Owl and Meeting Owl Pro, to weaken the network traffic vulnerabilities using the tether mode of Wi-Fi AP. That limits the activities of these gadgets as wireless entry spots.
According to the company, future updates will resolve the pending flaws. The 5.4.1.4 updates will also protect all the devices from potential threat attempts. Further, software application version 5.4.1.4 will end unwarranted network access from the above mistakes.
The organization stated that since the PIN issue was risk-free, anybody could access meeting settings. They only need to be within Bluetooth range to use 360 Presenter Enhance settings. The internal switchboard of the device gets exposed to pending issues. Through the help of a sister app, an attacker can do certain acts that give access to unauthorized Bluetooth-exposed capability and disable the code without validation.
The critical vulnerability, CVE-2022-31462, is the existence of an immovable secret passcode measured using information seen in Bluetooth Low power range. The studies show that the hardcoded passcode shows the serial software of the SHA-1 device depicted as “Owl over Bluetooth,”.
US Cybersecurity body (CISA) told Owl device users to upgrade to software version 5.4.1.4. CISA said that Owl Labs issued security updates to stop the exposure (CVE-2022-31460) for attackers to access the tool and steal sensitive information.
With so many people using Owl Labs software, the exposure reveals a significant collective risk that outweighs any gains. But despite all the flaws, many state governments continue to use the companies’ video conferencing tools. The researchers advice people to disconnect their Bluetooth devices while using the software to minimize the risk of exposure.
