Last year, Crestron was the focus of some cyber activists who found vulnerabilities in Crestron touch controllers that could theoretically allow someone to use touch screens to spy on the person in the same room. This was covered in a class at a hacktivist conference called DEFCON and subsequently was written up in WIRED Magazine. Mark Coxon wrote more about it here.
Late last month, a cybersecurity company called Tenable was looking for vulnerabilities in Crestron’s AM-100 and AM-101 wireless presentation devices. The researcher, Jacob Baines, found vulnerabilities in those Crestron products — but also discovered something else. Crestron had found and patched a vulnerability in June 2018 on its own (though without telling anyone, apparently). The weird thing was that another company had already released a patch for the same problem more than a year prior, in April of 2017. That company was one Baines had never heard of — Barco — but it had its own product on the market, WePresent, that it fixed. Baines did some investigating (and it’s complicated), finding six additional companies with products and the same potential exploit, all at different levels of fixing the problem.
You can already probably figure out what was going on — all the products were from the same OEM (Original Equipment Manufacturer), using the same software code base, and that’s where the vulnerability was. In this case, it was code from Barco’s subsidiary company, AWIND, which it purchased in 2013. Barco found the exploit on its own and patched it for its own product, the wePresent WiPG-1000, in April 2017. Crestron found the exploit, along with some other problems, more than a year later, in June 2018 and patched those. But the other problems Crestron found and patched in June 2018 had not yet been found by Barco.
So you can see the problem — an OEM company makes a product. Another brand takes the product on, marketing, selling and supporting it as its own. But there’s not an on-going relationship between the OEM and the company selling the product, at least as far as this particular product — and certainly there’s not a relationship between the multiple companies out there who all happen to be selling slightly different versions of similar products that use the same underlying code.
When Tenable asked Barco to disclose the other ODM manufacturers so Tenable could make them aware of the problem, Barco says, “We can only provide information for Barco products and cannot provide any information about ODM [Original Design Manufacturer] partners as this is company restricted information.”
I asked Barco for comment and they sent a long statement, part of which is this:
Beginning of May 2019 researchers at Tenable disclosed 15 critical vulnerabilities found in eight different Wireless Presentation and Collaboration systems. Both ThreatPost as well as Security Week covered these findings extensively. While any security vulnerability found leaves its mark on the industry, we would like to grasp this opportunity to stress the importance of the security topic.
“You can never claim you are 100% secure. What we have to ensure, therefore, is that we are proactive and that our response is ready to swing into action at short notice. For that, these risks must be acknowledged and the right mitigations and processes have to be in place.” — David Martens, product security architect
The fact that a patch for these vulnerabilities has been released on our Barco WePresent solutions before the article was even published is a confirmation of our commitment to security and its corresponding process.
At Barco we provide regular, free software updates to improve our products and solve these vulnerabilities as soon as we are aware of them. All our products sold today include software updates throughout the lifetime of the product providing you the best possible experience.
However, limiting the threat of possible vulnerabilities is a collaboration of many. While we have implemented measurements like auto-update to ensure all your devices are always up-to-date, the following advice can help you to regain your peace of mind on any security concerns.
- Enable auto-update. While all of our units come with auto-update out of the box enabled we encourage you to review the settings and connect your Barco product to the network. This will both allow you to monitor your device through XMS as well as enjoy managed updates by Barco.
- Collaborate with IT. Ensure that the devices, when connected to the network are not publicly accessible from the World Wide Web preventing unauthorized access. Discuss which network configuration is required for an optimal experience both with the ClickShare Button as well as with our Apps. You can find all details in our networking deployment guide.
- Collaborate with Security. We advise our customers to execute a penetration test on any product they have on their shortlist. Barco executes both internal and external penetration tests on both hardware and software products and our internal team is willing to collaborate with you on providing the necessary details and products to do your validation.
- Collaborate towards a solution. We always encourage our customers to speak up about any possible vulnerability found and reach out the manufacturer of the product. Solving security vulnerabilities requires communication between both parties, preferably even through a secure channel which we can help you to set up.
For disclosure’s sake, they also sent a bunch of comments about how secure ClickShare is (not the product in question, though). I told Barco I knew they had patched the vulnerability well before Tenable found it in the company’s WePresent products, but wanted to know if they had told its OEM partners, who were also vulnerable, to which they said: “By nature OEM customer relations are private, and therefore we prefer to not release any details. But we can assure that our OEM partners have been contacted upfront, and that we are teaming with them to offer them and their customers the best solution possible.”
We talked to another OEM partner, one of the manufacturers mentioned in the Tenable investigation, but who did not wish to be named specifically, that said they never received any information from Barco or AWIND about the vulnerability and that they only found out when contacted by Tenable earlier this year.
So I get it — no companies wants to talk about OEM partnerships and potentially admit to not making all or part of its own products. That’s an understandable business position for Barco and its partner companies, but if issues with products aren’t being disseminated through appropriate channels to get all affected products updated, that’s certainly not good for customers. In the meantime, eight manufacturers are now fixing serious vulnerabilities in wireless products that in some cases someone else fixed (at least partially fixed) over two years ago. And there may be more out there, but since Barco won’t disclose which other companies might be reselling versions of the AWIND product, we only have the eight that Jacob Baines found on his own.
If you ask most people in our industry about where we are in the AV/IT convergence process, everyone says that convergence is already here. That may be the case, but this situation illustrates how far we still have to go. We do not yet have the business processes or infrastructures set up deal with problems that crop up when so much more of the products and systems are software-based and not hardware-based.
Barco’s own product security architect, David Martens, says above in Barco’s statement: “You can never claim you are 100% secure. What we have to ensure, therefore, is that we are proactive and that our response is ready to swing into action at short notice. For that, these risks must be acknowledged and the right mitigations and processes have to be in place.”
I couldn’t agree more, David. But that should include a system for proactive notification of OEM partners too.