How a conference room speakerphone might let attackers into your company network
Several egregious vulnerabilities affecting the Stem Audio Table conference room speakerphone could be exploited by attackers to eavesdrop on what’s being discussed in its proximity, download malicious firmware, achieve and maintain network persistence, and more, GRIMM researchers have discovered.
The vulnerabilities in the Stem Audio Table conference room speakerphone
The CVE numbers are yet to be assigned, but the found vulnerabilities include:
- Stack buffer overflow and command injection flaws that could allow attackers to execute arbitrary code as root on the device
- Bugs that could be exploited to bypass the (weak) authentication mechanism for accessing the web-based GUI, discover the current password, and control the device
- Flawed usage of encryption in the communication between the STEM Audio Table device and the web GUI
- Unsigned update packages (tarballs)
These are present in versions 2.0.0 and 2.0.1 of the device firmware.
“VoIP devices like the STEM Audio Table are essentially network-connected microphones. Their compromise, through the described RCE vulnerabilities, could allow attackers to passively eavesdrop on nearby conversations and quietly maintain network persistence,” the researchers explained.
“Such a foothold inside an organization provides a stable position for further network operations, data collection, and surveillance from a device that is unlikely to attract much attention. Without proper device isolation in the network, collected data can easily be exfiltrated over the Internet back to attackers.”
Vulnerabilities that provide access to the control interface can be used to render the device temporarily inoperable or to gather the device administrator password. The fact that the device does not check the signatures of the served updates means that attackers can easily provide a malicious one.
“While GRIMM did not analyze all services running on the Stem Audio Table device, it was noted that all of the observed services were running under the root user. The impact of this design decision is that any other exploitable vulnerabilities within these services could provide attackers with root privileges,” they noted.
A sign of a wider problem
While Shure, the parent company of Stem, reacted quickly and pushed out the necessary security updates, it is unfortunate that they introduced these vulnerabilities in the first place.
It is also unfortunate that these vulnerabilities and design flaws are, according to the researchers, common in other networked video teleconferencing devices throughout the small commodity hardware industry (VoIP phones, network-connected cameras, other ‘smart’ devices).
“This is a case study showing the inherent risk of modern video teleconferencing devices and why these types of products should have some level of security review before procurement,” GRIMM security researcher Adam Nichols pointed out.
And if you're okay with the worst case scenario, like a microphone covertly listening an any time, then don't put any effort in thinking about any of this. That's a completely legitimate option. But whatever you do, make it a conscious decision.
And always test your assumptions.
— ☣Adam (@AdamOfDc949) June 9, 2021
He advises companies to audit devices before deploying them within company infrastructure, to implement proper network isolation, to research how the company deals with security (e.g., check out for security advisories), and to search for blog posts from security researchers that previously investigated the product.