Executive Summary
Forescout Research Labs has discovered and disclosed multiple vulnerabilities in state-of-the-art systems for video conferencing manufactured by DTEN. These systems are commonly used as touchscreen smart TVs and collaborative, real-time whiteboards within large enterprises in conjunction with Zoom Meetings.
While systems like the DTEN D7 video conferencing solution facilitate better collaboration across geographies and allow teams to become truly global, enterprises need to be mindful of the risks these emerging devices can present on enterprise networks, as well as how the sensitive data they handle is protected on the devices, in the cloud and in transit. In this case, sensitive data included both live meetings and saved artifacts like conversations, recordings, notes, and interactive whiteboards.
In total, our researchers discovered five vulnerabilities of four different kinds:
- Data exposure: PDF files of shared whiteboards (e.g. meeting notes) and other sensitive files (e.g., OTA – over-the-air updates) were stored in a publicly accessible AWS S3 bucket that also lacked TLS encryption (CVE-2019-16270, CVE-2019-16274). (see video below)
- Unauthenticated web server: a web server running Android OS on port 8080 discloses all whiteboards stored locally on the device (CVE-2019-16271).
- Arbitrary code execution: unauthenticated root shell access through Android Debug Bridge (ADB) leads to arbitrary code execution and system administration (CVE-2019-16273).
- Access to Factory Settings: provides full administrative access and thus a covert ability to capture Windows host data from Android, including the Zoom meeting content (audio, video, screenshare) (CVE-2019-16272).
Forescout Research Labs disclosed the vulnerabilities to DTEN in accordance with the Forescout Vulnerability Disclosure Policy and worked collaboratively with the vendor to recommend and verify fixes. As of today, a firmware upgrade is available from DTEN that addresses 3 of the 5 issues, with another update expected in December 2019.
The Evolution of Conferencing and Collaboration Hardware
Over the past decade, consumer smart TVs which typically run an Android operating system have been in the spotlight with many vulnerabilities and novel attack methods. In 2018, Consumer Reports conducted a privacy and security evaluation of leading smart TVs. The evaluation found that all the smart TVs tested raised privacy concerns by collecting very detailed information on their users, and that a relatively unsophisticated hacker could remotely change channels, play offensive content, or crank up the volume. As recently as late November, the FBI issued a bulletin highlighting that malicious actors can use smart TVs as a gateway to access home networks and that many of these TVs contain cameras and microphones which could be used to silently cyberstalk users. While these issues previously affected consumers using these devices in their homes, the same hardware is now becoming commonplace in the enterprise as today’s business leaders seek to facilitate communication across their organizations.
A typical enterprise video conferencing system today is composed of hardware and software elements such as microphone arrays, one or more HD cameras, an interactive digital whiteboard and conferencing software with cloud and mobile app components. For example, the DTEN D7 (see Figure 1) is composed of a touchscreen, an integrated PC, a microphone, a speaker, a HD camera, and the Zoom Rooms software. What makes DTEN particularly unique is that it has multiple Operating Systems – the traditional embedded Android OS (as is the case with most smart TVs) as well as a tightly integrated Windows 10 component to host the Zoom Rooms application. Both operating systems have wireless and wired connectivity, adding up to over a handful of different OEM network identifiers.
Figure 1: Example of the Components of a Modern Video Conferencing Solution
Source: DTEN
Main Findings
Forescout researchers found DTEN’s D5 and D7 models contained vulnerabilities allowing for a variety of remote, local and physical access attacks that would enable a bad actor to obtain root shell access on the device to potentially listen in and/or watch on a live meeting – or just be stealthily, remotely “telepresent” in the same room.
These DTEN systems also come with a popular digital whiteboard and a sharing feature allowing users to easily save and share PDF files of their whiteboard diagram or drawings with others. Forescout researchers discovered that PDF files from customers’ digital whiteboards were uploaded in the clear (over unencrypted HTTP) to an unprotected and open AWS S3 storage bucket which exposed the shared whiteboards uploaded by every customer. This could have potentially led to the leakage of sensitive information such as organizational charts, brainstorming sessions containing intellectual property, architectural design of new products or even sales pipelines. Similarly, locally saved copies of whiteboard files were found exposed on an undocumented, unprotected webserver running on the device, making them readily downloadable from anyone on the same network and opening the organization to potential insider threats.
Affected Systems
The DTEN Touchboards D7 and D5 (recently End of Life) models with firmware older than 1.3.4 are affected. The vulnerabilities have been submitted to MITRE and the following identifiers have been reserved: CVE-2019-16270, CVE-2019-16271, CVE-2019-16272, CVE-2019-16273, and CVE-2019-16274.
Table 1: Technical Details of Vulnerabilities
Below are the specific details of each vulnerability that was discovered and disclosed by our researchers.
| CVEs reserved | Type of Weakness | Description | Components Affected | Severity | Status |
| CVE-2019-16270 | Data Leakage | DTEN devices store customer data (e.g., PDF files of shared Note App whiteboards) in a misconfigured AWS S3 bucket that is exposed to the public internet via directory traversal. AWS S3 storage bucket on a dten.com subdomain is misconfigured to be publicly accessible. It contains all of customer Notes App whiteboard images (PDFs) as well as Android log files, OTA and maintenance update zip files Recommendation to the vendor: Disable public access or add authentication in accordance with AWS Security documentation | AWS Cloud API, D5 and D7 firmware older than 1.3 | High | Fixed AWS bucket no longer public Verified on 10/2/19 |
| CVE-2019-16274 | Data Leakage | AWS server is lacking encryption (HTTP is used rather than HTTPS) Recommendation to the vendor: Add TLS encryption and enforce HTTPS only | AWS Cloud API, D5 and D7firmware older than 1.3 | Medium | Fixed (feature discontinued) |
| CVE-2019-16271 | Unauthenticated web server | On DTEN Touchboards D7 there is an Android OS that is always running. This OS exposes an unauthenticated web server on port 8080/tcp. The server contains all saved whiteboards on the device. This allows remote attackers (within the customer network) to connect to the Android IP:8080 to download any saved whiteboard image PDF documents. File system path: /storage/emulated/0/Notes/PDF Recommendation to the vendor: Disable this web service or add an authentication mechanism | D5 and D7 Firmware 1.3.2 and older. | High | Fixed and verified on D7 only |
| CVE-2019-16273 | Arbitrary Code Execution | Android OS: Android Debug Bridge (ADB) access allows for unauthenticated root shell access, leading to full system administration and execution of any arbitrary code. At least three methods to access ADB were found: USB, ethernet and wireless interfaces This provides a covert ability to capture screen data from the Zoom Client on connected Windows host by executing commands on the Android OS. Recommendation to the vendor: Disable access to ADB. Covering USB and ethernet ports with a “Do Not Remove” sticker will not remedy this. | D5 and D7 Firmware 1.3.4 and older. | High | Open (Vendor plans to fix in 1.3.5 release before Jan 2020) |
| CVE-2019-16272 | Factory access settings | Android OS: Factory settings access provides a covert ability to capture Windows host data including the Zoom meeting content Recommendation to the vendor: Disable access to full Factory Settings. User settings for updating the device and configuration. | D5 and D7 Firmware 1.3.4 and older. | Medium | Open |
Disclosure Timeline
- July 2019: Discovery of the five vulnerabilities
- 8/2/19: Disclosure to the vendor (start of our 90-day grace period)
- 8/15/19: Vendor responds with acknowledgement and plans to fix
- 10/7/19: Vulnerability CVE-2019-16270 and CVE-2019-16274 verified as fixed (AWS S3 bucket made private) on D7 models
- 10/24/19: Vulnerability CVE-2019-16271 verified as fixed on D7 models
- 11/2/19: 90-day grace period expires
- 12/5/19: CVE-2019-16273 and CVE-2019-16272 remain opened, DTEN confirms 1.3.5 update release to be available before end of the year
- 12/17/19: Public disclosure
- UPDATE: Vendor response on Jan 7, 2020
Recommendations
To any user that owns a vulnerable DTEN D5 or D7, we recommend the following actions:
- Contact DTEN to request manual firmware update files (any version below 1.3.4 is affected) and instructions for manual updates (reflashing the device via USB). According to the vendor, however, after version 1.3.5 is released in December, updates are expected to become OTA and managed via the Zoom Rooms Portal.
- Prevent user and network access to the Android client since according to DTEN it is not necessary for the proper functioning of the video conferencing system.
- Harden the Windows operating system by disabling all unnecessary functionality, enabling AutoUpdates and installing EDR or AV solution.
Real-time network monitoring and segmentation is crucial for tracking these devices’ location, status and behavior in order to spot anomalies and contain suspicious activity.
For Forescout customers, we suggest the following additional recommendations:
- Deploy Forescout eyeSight and SecureConnector (recommended for enforcing stronger policy templates but not necessary for detection) on the Windows client to manage and monitor the device.
- Update Device Profile Library to the latest version (DPL-19.1.11 / 19.0.11, or the upcoming December release for DPL-19.1.12 / 19.0.12) which includes fingerprints to identify DTEN on the network and create a custom policy to detect and block the Android client, allowing only the Windows client to communicate.
- Deploy eyeSegment and implement network segmentation to restrict lateral movement across the network and only allow outbound/egress traffic to required DTEN and Zoom domains.
What This Means for Enterprises
Businesses are increasingly adopting video conferencing solutions and enterprise collaboration systems such as DTEN’s to enable better collaboration across teams and geographies. These devices are highly sophisticated with technology that delivers major business benefits. However, even with those significant benefits, common security problems like these discovered in DTEN gear can have consequences on the many consumers that utilize these IoT devices.
In the worst case, these types of security vulnerabilities could lead to a significant data breach or corporate espionage. For instance, a vulnerable smart collaboration system could provide an open gateway for an attacker to move laterally and compromise an enterprise’s infrastructure and database. Or it could enable a malicious actor to engage in corporate espionage to listen in or watch conference boardrooms and executive offices without detection by the victim organization. A malicious actor would then be able to remotely eavesdrop without being detected by the victim organization.
Our research of DTEN devices demonstrates that products like these can pose a security threat to an organization if left unpatched or unprotected on corporate networks. As IoT devices like these become more pervasive in the enterprise, organizations need to carefully consider the security implications and take the necessary risk mitigation steps.
Video of DTEN Customers’ Digital Whiteboards Exposed in Open AWS Bucket