CISA Reverses Course on Malicious Exploitation of Video Conferencing Device Flaws
The US Cybersecurity and Infrastructure Security Agency (CISA) recently removed five vulnerabilities affecting Owl Labs’ Meeting Owl smart video conferencing product from its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities, discovered by researchers at Modzero, include encryption flaws, hardcoded credentials, and authentication issues. However, CISA cited insufficient evidence of exploitation for their removal from the catalog. The vulnerabilities would require an attacker to be in Bluetooth range of the device, making it unlikely to be exploited.
What is the KEV Catalog?
The KEV Catalog is a list of known vulnerabilities that have been exploited by threat actors in the past. It is maintained by CISA and is used by federal agencies to prioritize their patching efforts. The catalog includes vulnerabilities that have been exploited in the wild and those that have not yet been exploited but are considered high-risk.
The Meeting Owl Vulnerabilities
The Meeting Owl is a smart video conferencing device that uses artificial intelligence to automatically focus on the person speaking in a meeting room. Researchers at Modzero discovered five vulnerabilities in the device that could allow an attacker to control it. These include encryption flaws, hardcoded credentials, and authentication issues. However, the vulnerabilities would require an attacker to be in the Bluetooth range of the device, making it unlikely to be exploited.