Infosec pros can’t take for granted the security of products their organizations buy. That’s one of the lessons from an analysis by a security vendor of vulnerabilities found in a videoconferencing system made by U.S. manufacturer DTEN Inc.
The report by Forescout Technologies issued Wednesday found the D5 and D7 Touchboard models had several vulnerabilities that allowed a threat actor to obtain root shell access and possibly listen in or watch a live meeting through a variety of remote, local and physical access attacks.
One of the most serious issues was that PDF files from customers’ digital whiteboards were uploaded in the clear — over unencrypted HTTP) — to an unprotected and open AWS S3 storage bucket due to misconfiguration which exposed the shared whiteboards uploaded by every customer. “This could have potentially led to the leakage of sensitive information such as organizational charts, brainstorming sessions containing intellectual property, the architectural design of new products or even sales pipelines,” says the report.
Similarly, locally saved copies of whiteboard files were found exposed on an undocumented, unprotected webserver running on the device, making them readily downloadable from anyone on the same network and opening the organization to potential insider threats.
The vulnerabilities were reported to DTEN in August. Models with firmware older than 1.3.4 are affected. Several vulnerabilities on D7 models have been fixed through updated firmware, and the AWS bucket was made private in October. The report says new firmware can be installed manually, but after version 1.3.5 is issued this month updates will be delivered over the air.
Note that the D5 model is now at its end of life.
DTEN’s website says a number of large companies use its products including Trend Micro, CBS and Forescout.
Forescout recommends organizations with these units prevent user and network access to the Android client since according to DTEN it is not necessary for the proper functioning of the video conferencing system. They should also harden the Windows operating system by disabling all unnecessary functionality, enabling AutoUpdates and installing an endpoint detection or anti-virus solution.
DTEN systems are a combination of touchscreen smart TV and a collaborative whiteboard that link individuals through Zoom Meetings. The units run on two operating systems: Embedded Android OS, a tightly integrated Windows 10 component to host the Zoom Rooms application. Forescout notes that both operating systems have wireless and wired connectivity, adding up to over a handful of different OEM network identifiers.
In addition to the open AWS vulnerability, Forescout found three other issues:
- Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).
- Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).
- Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).
Forescout says its research shows how Internet-of-things devices can pose a security threat to an organization if left unpatched or unprotected on corporate networks. “As IoT devices like these become more pervasive in the enterprise, organizations need to carefully consider the security implications and take the necessary risk mitigation steps.”