Dten is a "certified hardware provider" for Zoom, making smart screens and whiteboards for videoconferencing; a Forescout Research report reveals that Dten committed a string of idiotic security blunders in designing its products, exposing its customers to video and audio surveillance, as well as theft of presentations and whiteboard data.
Among the mistakes Forescout identified:
* Storing customer data in unsecured Amazon web buckets; all you needed to do to spy on a customer's stored data was to change the customer ID in the standard URL provided to each customer;
* Not using SSL to encrypt data in transit, making it trivial to eavesdrop on conferences
Forescout identified five bugs in July. As of today, Dten has fixed three of them.
Dten told Wired: "We take customer privacy and security very seriously."
The researchers also discovered two ways that an attacker on the same network as DTEN devices could manipulate the video conferencing units to monitor all video and audio feeds and, in one case, to take full control. DTEN hardware runs Android primarily, but uses Microsoft Windows for Zoom. The researchers found that they can access a development tool known as "Android Debug Bridge," either wirelessly or through USB ports or ethernet, to take over a unit. The other bug also relates to exposed Android factory settings. The researchers note that attempting to implement both operating systems creates more opportunities for misconfigurations and exposure. DTEN says that it will push patches for both bugs by the end of the year.
"On top of Android you have full PC Windows and the ability to jump between operating systems," Eisen says. "Both operating systems have their own connectivity, their own IP addresses, and their own USB ports open, so whether you're local on the network or physically on the device you can get in and all meeting content can be captured on the Android operating system."
Hackers Could Use Smart Displays to Spy on Meetings [Lily Hay Newman/Wired]