The US cybersecurity agency CISA has removed several Owl Labs product flaws from its Known Exploited Vulnerabilities (KEV) Catalog after SecurityWeek privately called into question its decision.
In mid-September, CISA added to its KEV catalog four vulnerabilities affecting Owl Labs’ Meeting Owl smart video conferencing product, a device shaped like an owl that features a 360° conference camera, a mic, and a speaker. Another Meeting Owl flaw was previously added to the KEV list.
The Meeting Owl vulnerabilities, discovered last year by researchers at Swiss cybersecurity firm Modzero, include inadequate encryption, hardcoded credentials, missing authentication, and improper authentication issues. An attacker can use them to take control of the targeted Meeting Owl device and turn it into a rogue access point, but exploitation would require an attacker to be in Bluetooth range of the targeted Meeting Owl device.
CISA announced this week that it has removed the Meeting Owl vulnerabilities, citing insufficient evidence of exploitation.
“CISA is continually collaborating with partners across government and the private sector. As a result of this collaboration, CISA has concluded that there is insufficient evidence to keep the [five Meeting Owl] CVEs in the catalog and has removed them,” the agency said.
When the vulnerabilities were added to the KEV list, SecurityWeek reached out to both CISA and the vendor for confirmation of malicious exploitation, given that there were no public reports about exploitation and the fact that the vulnerabilities seemed unlikely to be considered useful by threat actors as they require the attacker to be in Bluetooth range. Malicious hackers exploiting vulnerabilities via Bluetooth is — as far as we know — unheard of.
However, when faced with similar inquiries in the past, CISA insisted that only flaws for which it has reliable evidence of exploitation in the wild are added to the KEV catalog. In this case, it would have meant that the vulnerabilities were likely exploited by a highly motivated and sophisticated attacker as part of a targeted espionage campaign rather than as part of opportunistic operations.
CISA has still not responded to SecurityWeek’s inquiry. When contacted in mid-September, Owl Labs’ response suggested that the company had not been aware of any attacks. The vendor informed SecurityWeek of CISA’s decision to remove the CVEs from its catalog on Thursday, but did not say why the cybersecurity agency thought the vulnerabilities were exploited.
When the flaws were added to the KEV catalog, Tenable’s Ben Smith noted in a blog post, “I’m not currently aware of any [Bluetooth Low Energy (BLE)] vulnerabilities actually exploited in the wild. I’m also not aware of any malware that contains Bluetooth or BLE functionality. Evidence would probably look like either logs from the device or a sample of the malware with this capability. If this is true, it likely marks the first time we have such evidence of exploitation of BLE vulnerabilities.”
Smith explained at the time that there are two primary paths for exploiting these types of vulnerabilities: by directly targeting a device from close range via Bluetooth or by using a remotely compromised device that is in the target’s vicinity.
A Bluetooth attack can theoretically be launched from up to 330 feet in the case of the Owl Labs device, which could possibly be achieved in some scenarios from a parking lot or sidewalk near the building housing the targeted device. In the scenario involving a compromised device, it’s not easy to achieve.
“Attackers could use BLE enumeration apps or install command-line tools like hcitool or gatttool to dive deeper into BLE exploration, but these are not installed by default on most laptops or mobile devices. So, malware wanting to exploit BLE vulnerabilities in a remote device would need to include such capabilities or an attacker would need to write some code to use BLE APIs exposed on the compromised device. These vary across operating systems and architectures,” Smith explained.