Add another entry to the list of internet-connected devices causing problems in unexpected places. Touchscreen smart TVs from DTEN, a “certified hardware provider” for popular video conferencing service Zoom, have flaws that hackers could use to essentially bug conference rooms, lift video feeds, or nab notes written on the device’s digital whiteboard. Just one more reason to hate long meetings.
Security firm Forescout discovered the vulnerabilities in July when its researchers turned their bug hunting skills on the video conferencing units sitting in their own office meeting rooms. After two weeks conducting a surface-level security review of the DTEN D5 and D7 connected displays, the team found five bugs. Three have been patched, but two remain vulnerable. After disclosing the flaws to DTEN at the beginning of August, the researchers wanted to come forward with the findings to raise awareness about the threat of security issues lurking in inconspicuous devices.
“This new hardware is basically replacing a lot of the displays in conference rooms, and it’s an interesting melding of things like smart TVs, web conference systems, and telepresence robots,” says Alex Eisen, Forescout’s senior director of research.
One issue that jumped out at the researchers: The DTEN system stored notes and annotations written through the whiteboard feature in an Amazon Web Services bucket that was exposed on the open internet. This means that customers could have accessed PDFs of each others’ slides, screenshots, and notes just by changing the numbers in the URL they used to view their own. Or anyone could have remotely nabbed the entire trove of customers’ data. Additionally, DTEN hadn’t set up HTTPS web encryption on the customer web server to protect connections from prying eyes. DTEN fixed both of these issues on October 7. A few weeks later, the company also fixed a similar whiteboard PDF access issue that would have allowed anyone on a company’s network to access all of its stored whiteboard data.
“This is really low hanging fruit for an attacker,” says Elisa Costante, head of Forescout Research Labs.
The researchers also discovered two ways that an attacker on the same network as DTEN devices could manipulate the video conferencing units to monitor all video and audio feeds and, in one case, to take full control. DTEN hardware runs Android primarily, but uses Microsoft Windows for Zoom. The researchers found that they can access a development tool known as “Android Debug Bridge,” either wirelessly or through USB ports or ethernet, to take over a unit. The other bug also relates to exposed Android factory settings. The researchers note that attempting to implement both operating systems creates more opportunities for misconfigurations and exposure. DTEN says that it will push patches for both bugs by the end of the year.
“On top of Android you have full PC Windows and the ability to jump between operating systems,” Eisen says. “Both operating systems have their own connectivity, their own IP addresses, and their own USB ports open, so whether you’re local on the network or physically on the device you can get in and all meeting content can be captured on the Android operating system.”
Though local network and physical access attacks pose less of an immediate threat than data exposed on the open internet, hackers can gain network access remotely through other flaws—and insider threats are an increasing concern for businesses and other large institutions. Meanwhile, DTEN counts a number of large companies and organizations among its customers, including the United States Department of Justice. DOJ did not return a request for comment, but the department does buy network and telecom equipment from DTEN resellers.
DTEN said in a statement that, “We take customer privacy and security very seriously. Right at receiving the report from Forescout, we immediately conducted our internal investigation. We also engaged with Forescout for needed further clarifications. All these issues have since been verified as resolved and will be released … inline with Zoom Rooms coming update currently scheduled end of December.”