Multiple Bugs Made Zoom Hardware Susceptible to Hackers

In July, security firm Forescout discovered that DTEN touchscreen smart TVs, one of video conference service Zoom’s “certified hardware providers,” can be hacked to allow evildoers to bug conference rooms and capture video feeds and whiteboard notes. A two-week study of the DTEN D5 and D7 connected displays revealed five bugs, three of which have been patched but two of which remain. After Forescout disclosed the flaws to DTEN, it decided to go public to raise awareness of the security threat.

Wired reports the Forescout team found that, “the DTEN system stored notes and annotations written through the whiteboard feature in an Amazon Web Services bucket that was exposed on the open Internet,” which would allow hackers to remotely steal “the entire trove of customers’ data.”

Forescout senior director of research Alex Eisen noted that “this new hardware is basically replacing a lot of the displays in conference rooms, and it’s an interesting melding of things like smart TVs, web conference systems, and telepresence robots.”

The researchers also found that DTEN “hadn’t set up HTTPS web encryption on the customer webserver to protect connections from prying eyes.” DTEN fixed both of these flaws on October 7, as well as, a few weeks later, a “similar whiteboard PDF access issue that would have allowed anyone on a company’s network to access all of its stored whiteboard data.”

Forescout Research Labs head Elisa Costante noted that “this is really low hanging fruit for an attacker.”

The researchers revealed two other bugs. Development tool “Android Debug Bridge” can be accessed wirelessly or through USB ports or Ethernet to take over a DTEN unit. The second bug “also relates to exposed Android factory settings.” “On top of Android you have full PC Windows and the ability to jump between operating systems,” said Eisen.

“Both operating systems have their own connectivity, their own IP addresses, and their own USB ports open, so whether you’re local on the network or physically on the device you can get in and all meeting content can be captured on the Android operating system.” DTEN has stated it will “push patches for both bugs by the end of the year.”

Among DTEN’s customers are large companies and organizations, including the U.S. Justice Department. “We take customer privacy and security very seriously,” stated DTEN. “Right at receiving the report from Forescout, we immediately conducted our internal investigation. We also engaged with Forescout for needed further clarifications. All these issues have since been verified as resolved and will be released … in line with Zoom Rooms’ coming update currently scheduled end of December.”