Cute face and a range of capabilities

The Meeting Owl provides a range of capabilities, including the ability to work as a standalone webcam, two or more webcams that connect through Bluetooth, or a Wi-Fi access point. In addition to the device with the distinctive Owl face, the Meeting Owl Pro also includes a companion app for iOS or Android, which can be used to administer devices inside the network of the organization using it. Customers can also use an account on the Owl Labs website to monitor and control devices.

Government agencies, colleges, and other organizations have heavily promoted Meeting Owls as a means for hosting meetings that otherwise wouldn't be possible during the pandemic.

A system overview is directly below, and below that is a diagram of the internal communications:

A literal road map for would-be hackers

As modzero dug into the device features, it quickly discovered that the details customers enter during the enrollment phase and the most recent connections that follow are stored in a database hosted on the Internet. No password is required to access the data. Instead, all that’s needed is a valid Meeting Owl serial number. The researchers developed a script that automatically presented the database with every possible serial number. The server, the researchers said, responded with details for each one that had been registered.

“By exploiting the vulnerabilities we found during our analysis, an attacker can find registered devices, their data, and owners from around the world,” the researchers wrote in a short post. “Attackers can also access confidential screenshots of whiteboards or use the Owl to get access to the owner's network. The PIN protection, which protects the Owl from unauthorized use, can be circumvented by an attacker by (at least) four different approaches.”

Combined with other weaknesses, the lack of authentication exposes networks to serious risk. One result is maps like the one below, which show the recent locations of real users. When combined with the users’ identities, IP numbers, and other details, the data provides a literal road map for would-be hackers who can then mount attacks over the Internet or through proximity attacks that exploit the Bluetooth flaws to take control of a Meeting Owl and use it to burrow into the network it's connected to.

The post also shows one of many images exposed by a recently introduced whiteboard feature that’s incorporated into the video viewed by meeting participants. Owl Labs suspended whiteboard functionality in March after receiving modzero's private report of the vulnerability.

“According to our analysis described above, the Meeting Owl is currently everything but safe,” the researchers concluded.

With Owl Labs claiming that Meeting Owl is used by more than 100,000 organizations worldwide, the vulnerabilities pose a serious collective risk that’s likely to outweigh any benefits. Besides being used by multiple state governments—including Virginia’s Department of Energy—Owl Labs videoconferencing is widely embraced by local municipalities, and there’s some evidence it also may be used by some federal government agencies.

“The only advice that I have at the moment is to turn the devices off until the Bluetooth-related vulnerabilities are mitigated,” modzero co-CEO Thorsten Schröder wrote in a direct message. “Disabling the Wi-Fi connection to the local network is not sufficient, as an attacker can turn it on again via Bluetooth. The Owls network must not have access to internal infrastructure.”