Wireless presentation system Clickshare harboured vulnerabilities that could help attackers steal data, warned F-Secure. Barco NV, the Belgian technology company which sells the system, has now patched the security vulnerabilities, it announced.
"In October of this year, consultants from F-Secure reached out and shared that they had managed to gain access to our ClickShare solution," said product management director Michael Vanderheeren in the announcement.
"By upgrading to our 1.9.1 software release, customers can further harden their devices and continue enjoying the best experience and security on their ClickShare. We strongly recommend all customers to upgrade to this latest version."
"The discovered flaws range from almost benign information disclosure, providing an attacker with an insight into some system logs, to being able to intercept communications between the ClickShare Button and the Base Unit," F-Secure senior consultant Dmitry Janushkevich told SC Media UK.
"Some of the flaws range from compromising both devices, to compromising any system running Windows 10 with driver installation from Windows Update enabled."
The wireless presentation system had a market share of 29 percent, according to FutureSource Consulting’s ‘Global wireless presentation solutions 2019’ report. The issues made the product unsuitable for sharing any kind of sensitive or confidential information, which is a very typical use case for enterprise customers, said Janushkevich.
"One of the main goals during the research was to intercept transmitted information such as video and audio content being presented. While the media stream used to transport that content is encrypted, an attacker is able to perform a Man-in-the-Middle attack against the button device presenting the content data and could intercept the encryption key used for media stream encryption," he explained.
"Subsequently, the attacker would use the intercepted key to decrypt intercepted media streams. As the Buttons use Wi-Fi to communicate, this attack can be carried out remotely, allowing for example, an attacker situated outside a meeting room to observe information being presented inside."
Barco’s product security incident response team (PSIRT) has not detected any data breach caused by the vulnerabilities, said the company announcement.
"Security flaws always sound very scary, as most of us think of intercepting information, installing malware or retrieving passwords. To date, we have not received any reports of vulnerabilities being exploited in the wild, and when upgraded to the 1.9.1 software, the only way to get access to confidential information will be through physical access to the ClickShare Base Unit," said PSIRT member David Martens in the announcement.
"Simply put: unless you go through the hassle of tampering with the electronics inside the Clickshare hardware, you will not get access to any information," he added. However, users are warned that the threat still looms large.
"F-Secure has identified the Systems-on-Chip (SoCs), which are at the heart of both the Button and Base Unit devices, as being affected by known vulnerabilities. Since the affected code is located in read-only memory and cannot be modified by software, it is not possible to issue a software update that would mitigate these issues. Therefore, either the chips need to be physically replaced with the ones containing patched code or the whole unit needs to be replaced with a new one," Janushkevich told SC Media UK.
"An attacker with physical access to the affected device would be able to subvert the secure boot process, bypass code signature verification, and execute arbitrary code on the affected devices, gaining complete control over the device at the earliest boot stage."