First thing Monday morning, you get a surprise invite to a confidential presentation. Your CEO explains that you are among the select group of employees who will get a peek at an innovation that could transform your industry forever. After you are sworn to secrecy for the hundredth time, a PowerPoint appears on the screen.
The only problem?
An attacker has gained and retained access to the company’s presentation system, and is sitting outside the room, following along.
Vulnerabilities in leading wireless presentation system
New research from F-Secure’s Hardware Security team has found vulnerabilities in ClickShare (a leading wireless presentation system from Barco) that attackers can exploit to intercept communications, steal information, or spread malware.
F-Secure’s Dmitry Janushkevich, a senior consultant with the company’s Hardware Security team, became interested in the system after he and his F-Secure Consulting colleagues noticed ClickShare’s popularity with companies.
Dmitry and the team spent time researching the system in-between other assignments. And on October 9, 2019, F-Secure contacted Barco with information regarding multiple vulnerabilities discovered during the research.
“For an attacker, this is a fast, practical way to compromise a company, and organizations need to inform themselves about the associated risks,” according to Dmitry.
Dmitry and co. published the findings on F-Secure Labs. But read on for a couple of examples of how actual attackers could use these vulnerabilities against organizations.
Intercepting the system’s communications
Attackers can exploit the system’s software and default Wi-Fi settings to intercept and manipulate communications, essentially allowing them to see and change on-going presentations in real time.
Essentially, this compromises the system’s ability to securely present company-confidential information without additional precautions in place.
Changing the Wi-Fi settings can prevent an attacker from doing this easily. However, they can still execute it if they’re able to gain physical access to the paired ClickShare buttons.
Compromising users’ systems
With physical access to the system, as in the case of a conference center or a meeting room, an attacker can exploit vulnerabilities in the ClickShare Buttons (the part of the system that users plug into their computers’ USB ports) to compromise the users’ devices.
If this attack is executed successfully, users become exposed to a range of potential problems, including stolen passwords and malware infections.
Potential mitigations and security advice
F-Secure and Barco have worked together to coordinate the vulnerability disclosure, and Barco issued an update earlier today. However, several of the issues involve hardware components that cannot receive software updates, making them unlikely to get fixed.
“This case highlights how hard it is to secure ‘smart devices.’ Bugs in silicon, in the design, and in the embedded software can have long-lasting negative effects on both the vendor and users, undermining the trust we put in these devices,” says Dmitry.
In spite of the security challenges posed by “smart devices”, there are steps companies can take. F-Secure recommends affected organizations implement all mitigations available from Barco, including the recent software updates. Changing default passwords is also an essential security measure for securing internet-connected devices.
And in many cases, the value of controlling physical access to a company’s premises and devices are overlooked. Physical access presents attackers with many opportunities to compromise an organization via its devices and technology. Testing these access controls with red team assessments (which is exactly what inspired Dmitry and his F-Secure Consulting colleagues to begin this research) can help businesses find potential soft spots in their security before attackers.