Videoconference system stored data in open AWS bucket, says new report

Infosec pros can’t take for granted the security of products their organizations buy. That’s one of the lessons from an analysis by a security vendor of vulnerabilities found in a videoconferencing system made by U.S. manufacturer DTEN Inc.

The report by Forescout Technologies issued Wednesday found the D5 and D7 Touchboard models had several vulnerabilities that allowed a threat actor to obtain root shell access and possibly listen in or watch a live meeting through a variety of remote, local and physical access attacks.

One of the most serious issues was that PDF files from customers’ digital whiteboards were uploaded in the clear  — over unencrypted HTTP) — to an unprotected and open AWS S3 storage bucket due to misconfiguration which exposed the shared whiteboards uploaded by every customer. “This could have potentially led to the leakage of sensitive information such as organizational charts, brainstorming sessions containing intellectual property, the architectural design of new products or even sales pipelines,” says the report.

A DTEN D7 videoconferencing screen

Similarly, locally saved copies of whiteboard files were found exposed on an undocumented, unprotected webserver running on the device, making them readily downloadable from anyone on the same network and opening the organization to potential insider threats.

The vulnerabilities were reported to DTEN in August. Models with firmware older than 1.3.4 are affected. Several vulnerabilities on D7 models have been fixed through updated firmware, and the AWS bucket was made private in October. The report says new firmware can be installed manually, but after version 1.3.5 is issued this month updates will be delivered over the air.

Note that the D5 model is now at its end of life.

DTEN’s website says a number of large companies use its products including Trend Micro, CBS and Forescout.

Forescout recommends organizations with these units prevent user and network access to the Android client since according to DTEN it is not necessary for the proper functioning of the video conferencing system. They should also harden the Windows operating system by disabling all unnecessary functionality, enabling AutoUpdates and installing an endpoint detection or anti-virus solution.

DTEN systems are a combination of touchscreen smart TV and a collaborative whiteboard that link individuals through Zoom Meetings. The units run on two operating systems: Embedded Android OS, a tightly integrated Windows 10 component to host the Zoom Rooms application. Forescout notes that both operating systems have wireless and wired connectivity, adding up to over a handful of different OEM network identifiers.

In addition to the open AWS vulnerability, Forescout found three other issues:

  • Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).
  • Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).
  • Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).

Forescout says its research shows how Internet-of-things devices can pose a security threat to an organization if left unpatched or unprotected on corporate networks. “As IoT devices like these become more pervasive in the enterprise, organizations need to carefully consider the security implications and take the necessary risk mitigation steps.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now