Meeting room management devices from Evoko have flaws that can be exploited by malicious actors in attacks aimed at enterprises that use the product, researchers warned.
The Evoko Liso product allows the employees of an organization to book meeting rooms from their calendar or by using the touchscreen interface of the device installed at each meeting room’s door. The system is managed, configured and updated via the Evoko Home software.
The product is used by thousands of organizations worldwide, including the U.S. Senate, Microsoft, Verizon, HP, Atos, Coca Cola, Siemens, DHL, Ernst & Young, Philips and McDonald’s.
Researchers at TrueSec performed a three-day analysis of the solution for a client and discovered that it’s affected by many potentially serious vulnerabilities, including ones that can be exploited to remotely hijack the device.
One of the flaws allows an attacker who has physical access to the device to boot a custom Linux system from a USB drive and install a backdoor that remains active even after a firmware update. The flaw can be exploited to access sensitive information, including passwords, and to create a reverse shell on the device.
Researchers determined that the device’s firmware upgrade process is also vulnerable. They discovered that while firmware images are encrypted, the encryption key is derived from a hardcoded password, and the firmware update functionality does not include integrity and authenticity checks. The firmware update process is also vulnerable to man-in-the-middle (MitM) attacks.
Malicious actors could also manipulate firmware metadata and file content to exploit an arbitrary file write vulnerability that allows the execution of arbitrary code with root privileges.
Experts said hackers can also execute shell commands as root by abusing the device’s Wi-Fi connection menu.
As for the Evoko Home software, researchers determined that an attacker with network access to the application can exploit various flaws to create new admin accounts, send out emails, cause a denial-of-service (DoS) condition, and read arbitrary files on the system.
Experts also said the DDP remote procedure call used between Liso and Home allows unauthenticated connections, which can be exploited by attackers to obtain sensitive information, trigger firmware updates, and send emails.
TrueSec reported its findings to Evoko in late January. The vendor told researchers that most of the issues they reported have been patched in recent releases of its firmware, and steps have been taken to mitigate remaining issues. TrueSec said it could not confirm these claims as the company no longer has access to the tested Evoko Liso devices.
SecurityWeek has reached out to the vendor for comment last week, but the company has not responded.
“The Evoko Liso device is a typical example of embedded equipment that will be connected to a corporate network. These devices contain a full Linux system, but corporate IT admins have very little control over them (due to their encapsulated design and limited interfaces). This leaves most of the security decisions to the device vendors – for application code, operating system and third party libraries,” TrueSec’s Emil Kvarnhammar said in a blog post. “It is crucial that IoT vendors build secure and robust systems, and that the systems can be updated remotely in a secure fashion when new vulnerabilities are discovered.”