Crestron Touchscreens Could Spy On Hotel Rooms, Meetings (wired.com) 21
An anonymous reader quotes a report from Wired: The connected devices you think about the least are sometimes the most insecure. That's the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country. While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices.
Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron's devices after they're installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass. There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. "Crestron has issued a fix for the vulnerabilities, and firmware updates are now available," reports Wired.
Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron's devices after they're installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass. There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. "Crestron has issued a fix for the vulnerabilities, and firmware updates are now available," reports Wired.
Crestron? (Score:2)
Re: (Score:1)
They're basically everywhere in school auditoriums and corporate boardrooms to control AV equipment.
Re: (Score:2)
Re: (Score:2)
All hype (Score:5, Informative)
I have programmed and support Crestron devices (among many other AV solutions) over the years (coming close to 20 years). This is all hype.
Yes, you can open a web page on an embeded browser, you can send/view video streams, etc. But it is all very complex since their systems run proprietary code which has to be written then compiled in their editor. Then you have to load the code on the system, which mind you if you don't have the original source code you immediately break the room/system. And all of this assumes the Crestron(AV) system is not on its own vlan/control subnet. It's like saying a Linux box with a web cam sitting in a conference room can be used to spy on people....as soon as you write, compile and wipe the existing kernel/OS.
Where is the Cisco article discussing how a "hacker" can open the web interface of a Cisco telepresence system and spy on conference rooms!?!?! Or make it answer an incoming call while overriding what the user in the room might otherwise deny?!?!? Oh wait, thats working as designed....
As an American my first though (Score:2, Troll)
Re: All hype (Score:1)
You are vastly overestimating the amount of access this gives you.
Additionally, not all of the TSW-xx60 units have cameras and microphones.
As far as controlling the room, you essentially send encoded strings back to the processor over cip or scip. Every system is unique. You may have stumbled upon a panel that only adjusts volume for yoga studio.
If you have access to this unit, you've already owned the network.
These are trivially easy to secure and crestron provides (surprisingly) decent documentation for
This feels more like déjà vu than news.. (Score:3, Informative)
...8 years ago they were still selling units running XP embedded ( I installed and serviced them). I saw at least a dozen easily exploited holes in their management procedures back then, and I'm not talking about outre' software & firmware hacks like we're seeing with all these IoT devices that everybody's all up in arms over... but just plain poor security implementation on a procedural and management level.
That said, I've been out of the trade for several years now... while it's possible they've tightened up their ship, as sloppy as things were back then I find it hard to believe their gear is now inherently any more secure than a Chinese smartphone.
Cheers,
mnem
Security of any sort in any large organization is more a matter of running around putting out brushfires than anything like actually sealing up a leak.
He's not offensive, he's my brother (Score:1)
Ricky Lawshae, an offensive security researcher at Trend Micro.
I met Ricky Lawshae once, and I didn't find him particularly offensive. Rimshot [instantrimshot.com].
Would you like to know... (Score:1)
...who's also spying on your hotel rooms? Duck nuggers.
Anything to shout "hackers!" (Score:2, Insightful)
because how else are you getting attention for your "hacking" presentation on your "hacker" conference?
Flexible bedside lamps (Score:1)
I always thought those flexible bedside lamps that are built into the bedframe had built in cameras.