LackyVis - stock.adobe.com
Belgian digital projection and imaging technology supplier Barco has patched a serious vulnerability in its popular ClickShare wireless presentation product that could have enabled cyber attackers to intercept and manipulate information during presentations, steal passwords and other valuable data, and install backdoors and malware. However, according to threat researchers at F-Secure, users may not be fully protected.
ClickShare enables users to collaborate through sharing and presenting content from different devices. It commands about 29% of its market, according to FutureSource Consulting stats, and is in use at multiple large enterprises, including construction giant Skanska, car hire firm Avis and about 40% of the Fortune 1,000.
The vulnerabilities were unearthed at F-Secure Consulting this autumn, ahead of a firmware update released on 16 December 2019 as part of a collaborative co-ordinated disclosure effort between the two suppliers.
But F-Secure said users may not be out of the woods yet, because a number of the issues involve hardware components that will require physical maintenance. F-Secure senior consultant Dmitry Janushkevich said this highlighted how hard it can be to secure any smart device.
“Bugs in silicon, in the design, and in the embedded software can have long-lasting negative effects on both the vendor and users, undermining the trust we put in these devices,” he said.
Janushkevich said the popularity of such tools made them a logical way for cyber criminals to target enterprise victims.
“The [ClickShare] system is so practical and easy to use, people can’t see any reason to mistrust it,” he said. “But its deceptive simplicity hides extremely complex inner workings, and this complexity makes security challenging.
“The everyday objects that people trust without a second thought make the best targets for attackers, and because these systems are so popular with companies, we decided to poke at it and see what we could learn.”
Read more about security vulnerabilities
- Researchers at Promon say all of the 500 most-downloaded Android apps are at risk from a newly discovered vulnerability.
- Immersive Labs has disclosed a serious vulnerability in VPN supplier Aviatrix’s enterprise client that could have granted hackers elevated user privileges across enterprise targets.
- Ethical hackers taking part in a bug bounty programme on behalf of the European Union have uncovered a 20-year-old vulnerability.
Janushkevich and his team spent several months probing ClickShare after they noticed it was frequently being exploited by red teams probing their organisations’ defences as part of a security test.
The F-Secure team found multiple exploitable flaws, including 10 with Common Vulnerabilities and Exposures (CVE) IDs already assigned.
They said that although exploiting some of the vulnerabilities did hinge on having physical access to the device – perhaps while posing as a cleaner or maintenance worker – some could be done remotely if the target user was still using ClickShare’s default settings
“Our tests’ primary objectives were to backdoor the system so we could compromise presenters, and steal information as it is presented,” said Janushkevich. “Although cracking the perimeter was tough, we were able to find multiple issues after we gained access, and exploiting them was easy once we knew more about the system. For an attacker, this is a fast, practical way to compromise a company, and organisations need to inform themselves about the associated risks.”