Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Security Hardware Technology

Crestron Touchscreens Could Spy On Hotel Rooms, Meetings (wired.com) 21

An anonymous reader quotes a report from Wired: The connected devices you think about the least are sometimes the most insecure. That's the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country. While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices.

Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron's devices after they're installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass.
There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. "Crestron has issued a fix for the vulnerabilities, and firmware updates are now available," reports Wired.
This discussion has been archived. No new comments can be posted.

Crestron Touchscreens Could Spy On Hotel Rooms, Meetings

Comments Filter:
  • Geez. They used to make electronics in the 1970s. That is pretty impressive they are still around.
    • by Anonymous Coward

      They're basically everywhere in school auditoriums and corporate boardrooms to control AV equipment.

      • I think we have a couple where I work too. We better install the patches, otherwise hackers might view...our Powerpoints...
  • All hype (Score:5, Informative)

    by mtmra70 ( 964928 ) on Friday August 10, 2018 @06:59PM (#57104958)

    I have programmed and support Crestron devices (among many other AV solutions) over the years (coming close to 20 years). This is all hype.

    Yes, you can open a web page on an embeded browser, you can send/view video streams, etc. But it is all very complex since their systems run proprietary code which has to be written then compiled in their editor. Then you have to load the code on the system, which mind you if you don't have the original source code you immediately break the room/system. And all of this assumes the Crestron(AV) system is not on its own vlan/control subnet. It's like saying a Linux box with a web cam sitting in a conference room can be used to spy on people....as soon as you write, compile and wipe the existing kernel/OS.

    Where is the Cisco article discussing how a "hacker" can open the web interface of a Cisco telepresence system and spy on conference rooms!?!?! Or make it answer an incoming call while overriding what the user in the room might otherwise deny?!?!? Oh wait, thats working as designed....

    • was Pee Tape. Yeah, it would be hard for a run of the mill hacker, but I'm guessing most folks don't expect their Hotel TV to spy on them. It would be a useful attack vector or an intelligence agency.
  • by Mnemennth ( 607438 ) on Friday August 10, 2018 @07:40PM (#57105082) Journal

    ...8 years ago they were still selling units running XP embedded ( I installed and serviced them). I saw at least a dozen easily exploited holes in their management procedures back then, and I'm not talking about outre' software & firmware hacks like we're seeing with all these IoT devices that everybody's all up in arms over... but just plain poor security implementation on a procedural and management level.

    That said, I've been out of the trade for several years now... while it's possible they've tightened up their ship, as sloppy as things were back then I find it hard to believe their gear is now inherently any more secure than a Chinese smartphone.

    Cheers,

    mnem
    Security of any sort in any large organization is more a matter of running around putting out brushfires than anything like actually sealing up a leak.

  • by Anonymous Coward

    Ricky Lawshae, an offensive security researcher at Trend Micro.

    I met Ricky Lawshae once, and I didn't find him particularly offensive. Rimshot [instantrimshot.com].

  • by Anonymous Coward

    ...who's also spying on your hotel rooms? Duck nuggers.

  • by Anonymous Coward

    because how else are you getting attention for your "hacking" presentation on your "hacker" conference?

  • by Anonymous Coward

    I always thought those flexible bedside lamps that are built into the bedframe had built in cameras.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...