from the of-course-it-is-it-is-the-government,-after-all dept.
Meeting Owl videoconference device used by govs is a security disaster:
The Meeting Owl Pro is a videoconference device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than an Amazon Alexa and bear the likeness of a tree owl, are widely used by state and local governments, colleges, and law firms.
A recently published security analysis has concluded the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and administer them. The litany of weaknesses includes:
- The exposure of names, email addresses, IP addresses, and geographic locations of all Meeting Owl Pro users in an online database that can be accessed by anyone with knowledge of how the system works. This data can be exploited to map network topologies or socially engineer or dox employees.
- The device provides anyone with access to it with the interprocess communication channel, or IPC, it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities found during the analysis
- Bluetooth functionality designed to extend the range of devices and provide remote control by default uses no passcode, making it possible for a hacker in proximity to control the devices. Even when a passcode is optionally set, the hacker can disable it without first having to supply it.
- An access point mode that creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization network. By exploiting Wi-Fi or Bluetooth functionalities, an attacker can compromise the Meeting Owl Pro device and then use it as a rogue access point that infiltrates or exfiltrates data or malware into or out of the network.
- Images of captured whiteboard sessions—which are supposed to be available only to meeting participants—could be downloaded by anyone with an understanding of how the system works.
[...] Researchers from modzero, a Switzerland- and Germany-based security consultancy that performs penetration testing, reverse engineering, source-code analysis, and risk assessment for its clients, discovered the threats while conducting an analysis of videoconferencing solutions on behalf of an unnamed customer. The firm first contacted Meeting Owl-maker Owl Labs of Somerville, Massachusetts, in mid-January to privately report their findings. As of the time this post went live on Ars, none of the most glaring vulnerabilities had been fixed, leaving thousands of customer networks at risk.
Related Stories
Two Harvard students recently revealed that it's possible to combine Meta smart glasses with face image search technology to "reveal anyone's personal details," including their name, address, and phone number, "just from looking at them."
In a Google document, AnhPhu Nguyen and Caine Ardayfio explained how they linked a pair of Meta Ray Bans 2 to an invasive face search engine called PimEyes to help identify strangers by cross-searching their information on various people-search databases. They then used a large language model (LLM) to rapidly combine all that data, making it possible to dox someone in a glance or surface information to scam someone in seconds—or other nefarious uses, such as "some dude could just find some girl's home address on the train and just follow them home," Nguyen told 404 Media.
This is all possible thanks to recent progress with LLMs, the students said.
[...] To prevent anyone from being doxxed, the co-creators are not releasing the code, Nguyen said on social media site X. They did, however, outline how their disturbing tech works and how shocked random strangers used as test subjects were to discover how easily identifiable they are just from accessing with the smart glasses information posted publicly online.
[...] But while privacy is clearly important to the students and their demo video strove to remove identifying information, at least one test subject was "easily" identified anyway, 404 Media reported. That test subject couldn't be reached for comment, 404 Media reported.
So far, neither Facebook nor Google has chosen to release similar technologies that they developed linking smart glasses to face search engines, The New York Times reported.
[...] In the European Union, where collecting facial recognition data generally requires someone's direct consent under the General Data Protection Regulation, smart glasses like I-XRAY may not be as big of a concern for people who prefer to be anonymous in public spaces. But in the US, I-XRAY could be providing bad actors with their next scam.
"If people do run with this idea, I think that's really bad," Ardayfio told 404 Media. "I would hope that awareness that we've spread on how to protect your data would outweigh any of the negative impacts this could have."
(Score: 5, Insightful) by driverless on Monday June 06 2022, @11:10AM
It omits the "Surprising Exactly Nobody" at the start.
(Score: 1, Troll) by Runaway1956 on Monday June 06 2022, @11:14AM (3 children)
There are laws against spying on government, right? So, it's perfectly safe.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 0) by Anonymous Coward on Monday June 06 2022, @03:22PM (2 children)
Like guns?
(Score: 0, Troll) by Runaway1956 on Monday June 06 2022, @03:31PM (1 child)
Actually, yes, like guns. There are laws that prevent guns being used illegally. Therefore, there can be no gun problem. Laws control problems.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: -1, Troll) by Anonymous Coward on Monday June 06 2022, @05:57PM
Cool, let's scrap all laws and see how you like that.
Libertarians are like house cats: convinced of their fierce independence while utterly dependent on a system they don't appreciate nor understand.
(Score: 0) by Anonymous Coward on Monday June 06 2022, @11:24AM (8 children)
Isn't everyone interested in (or giving lip service) to Open Government? Why should our elected representatives be allowed to meet in private and keep secrets from the rest of us? I like this device, opens up all kinds of semi-secret data, I hope that the 3rd Estate (press) takes full advantage of this new tool!
(Score: 5, Touché) by PiMuNu on Monday June 06 2022, @11:25AM (4 children)
Sure, I have a Freedom of Information request in on the nuclear bomb codes right now...
(Score: 2, Funny) by Anonymous Coward on Monday June 06 2022, @11:35AM
You can ask for them on Russian hacker sites: faster and cheaper than the US govt will process your request.
(Score: 1) by pTamok on Monday June 06 2022, @02:02PM (1 child)
Here you go:
ars TECHNICA: Launch code for US nukes was 00000000 for 20 years [arstechnica.com]
(Score: 0) by Anonymous Coward on Monday June 06 2022, @03:16PM
Brute forcing that in Fortran (starting with 1) would take the full 100 million tries.
In C (starting at 0) would take one try.
(Score: 2) by sjames on Tuesday June 07 2022, @10:46AM
All zeros. Has been for a long time.
(Score: 3, Insightful) by JoeMerchant on Monday June 06 2022, @06:07PM (2 children)
This tool certainly should be used for "open meetings" which are intended to be discoverable via immediate FOI request and fulfillment.
Unfortunately, the people using the tool don't really believe in "open meetings" but they do implicitly believe a label on a screen that says "secure line" when they have absolutely no reason to.
Most government communication and deliberation should be held C-Span style, transparent to all interested parties domestic and foreign. Sadly, only a tiny sliver of the actual decision making process is exposed this way, even though it could (should) be with modern technology.
🌻🌻 [google.com]
(Score: 3, Insightful) by Runaway1956 on Monday June 06 2022, @09:21PM (1 child)
Problem is, no one covers what transpires at the golf course, or at the cabin on the lake, or at the "gentlemen's clubs". That's where all the real business takes place.
“I have become friends with many school shooters” - Tampon Tim Walz
(Score: 2) by JoeMerchant on Monday June 06 2022, @10:10PM
It's far far worse than that... they assume (like the Supreme Court) that their deliberations are NATIONAL SECURITY TOP SECRET and yet they still hold them in offices open to the public, often with open doors...
Loose e-mail servers weren't the first security breach in history.
So, yeah, deals get made all over, and the C-SPAN fodder is intentionally boring. My radical proposal would be: want to run for PUBLIC office, as a PUBLIC servant? You are implicitly giving away your right to privacy when you do this. The PUBLIC has the right to know where you are, and who you are talking to, 24-7-365.24.
🌻🌻 [google.com]