ClickShare customers urged to update
Researchers at F-Secure, the Finnish cybersecurity firm, have disclosed multiple flaws within a popular wireless presentation system.
The vulnerabilities found in ClickShare – a product used by Fortune 1000 companies and produced by the Belgian tech company Barco – could be exploited by an attacker to intercept communications, steal information, and potentially cause further damage to an organization’s network, F-Secure said.
“For an attacker, this is a fast, practical way to compromise a company, and organizations need to inform themselves about the associated risks,” Dmitry Janushkevich of F-Secure’s hardware security team said in a blog post published today (December 16).
“The everyday objects that people trust without a second thought make the best targets for attackers, and because these systems are so popular with companies, we decided to poke at it and see what we could learn.”
ClickShare is an office collaboration tool that connects to WiFi in order to share content from multiple devices, enabling employees to work from anywhere in the world.
But vulnerabilities in the tool could be exploited remotely if the software’s default WiFi settings, contained in a paired button device, are being used.
“One of the main goals during the research was to intercept transmitted information such as amp-video and amp-audio content being presented,” Janushkevich told The Daily Swig.
“While the media stream used to transport that content is encrypted, an attacker is able to perform a man-in-the-middle attack against the button device presenting the content data and could intercept the encryption key used for media stream encryption.
“Subsequently, the attacker would use the intercepted key to decrypt intercepted media streams.”
According to Janushkevich, the flaws impact the ClickShare-100 units with software versions 1.6.1.2 and 1.8.1.2 and bundled Button firmware versions.
Close collaboration
F-Secure notified the company about the vulnerabilities it discovered on October 9, 2019.
“Since then, we have kept in touch to answer any technical questions regarding the findings the vendor had,” Janushkevich said.
Barco has released a firmware update, 1.9.1, in response to some of the identified flaws.
“To date, we have not received any reports of vulnerabilities being exploited in the wild, and when upgraded to the 1.9.1 software, the only way to get access to confidential information will be through physical access to the ClickShare Base Unit,” David Martens, member of Barco’s Product Security Incident Response Team (PIRST), said in a post published by the company.
“Simply put: unless you go through the hassle of tampering with the electronics inside the ClickShare hardware, you will not get access to any information.”
Physical access to the tool could enable an attacker to easily compromise the system and the devices belonging to its users.
This could be done through vulnerabilities present in the ClickShare buttons – the part that gets plugged into a USB port of a computer, F-Secure said.
“F-Secure has identified the Systems-on-Chip (SoCs), which are at the heart of both the button and Base Unit devices, as being affected by known vulnerabilities,” Janushkevich said.
“Since the affected code is located in read-only memory and cannot be modified by software, it is not possible to issue a software update that would mitigate these issues.
“Therefore, either the chips need to be physically replaced with the ones containing patched code or the whole unit needs to be replaced with a new one.”
All customers are urged to install the software upgrade and can do so through the ClickShare Unit’s ‘auto-update’ function, or manually via the Barco website.
YOU MIGHT ALSO LIKE IoT security: ‘Smart’ doorbell unlocks homes to unauthorized visitors