Researchers at Tenable have discovered a total of 15 vulnerabilities across eight wireless presentation systems, including flaws that can be exploited to remotely hack devices.
Wireless presentation systems make it easier for users to display content on a screen or through a projector from laptops and mobile devices. They are often used in enterprises and educational organizations.
The security holes were discovered during the analysis of Crestron AirMedia AM-100 and AM-101 products, but it turned out that these devices shared code with presentation systems from several other vendors. As a result, some of the 15 flaws also impact Barco wePresent, Extron ShareLink, InFocus LiteShow, TEQ AV IT WIPS710, SHARP PN-L703WA, Optoma WPS-Pro, Blackbox HD WPS, and possibly products from other vendors. Barco appears to be the OEM for some of these devices.
The vulnerabilities, some of which have been classified as “critical,” include issues that can be exploited for command injection and for gaining unauthorized access to a device.
Several of the flaws allow a remote, unauthenticated attacker to inject operating system commands, while others can be exploited remotely without authentication to change admin and moderator passwords, view presentations, bypass authentication with a hardcoded session ID, hijack moderator controls and start or stop screen-sharing sessions, and cause a denial-of-service (DoS) condition.
Tenable also uncovered default administrator passwords and credentials stored in plain text (accessible to authenticated users).
A Shodan search showed hundreds of internet-exposed Crestron AirMedia devices, mostly located in the United States and Canada and mostly used by universities. Jacob Baines, the Tenable researcher credited for finding the flaws, said he had identified over 100 different universities in North America that exposed these devices to the internet.
Tenable started reporting the flaws to impacted vendors in mid-January and the companies have been given 90 days to release patches. Crestron told Tenable that it had been aware of 8 of the vulnerabilities and it had been working on fixes. However, at the time of the cybersecurity firm’s disclosure, only Extron and Barco appeared to have released firmware updates. Crestron’s website indicates that the AM-100 and AM-101 products have been discontinued.
Until patches become available, users can reduce the risk of attacks by ensuring that these systems are not exposed to the internet.
Internet of Things (IoT) devices are often targeted by cybercriminals so it’s important that users install patches and implement mitigations. In fact, the Barco wePresent WiPG-1000 product, which is covered by Tenable’s research, has been targeted by the notorious Mirai botnet.