Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crestron Touchscreens Could Spy On Hotel Rooms, Meetings (wired.com)

Posted by BeauHD on from the connected-devices dept.

An anonymous reader quotes a report from Wired: The connected devices you think about the least are sometimes the most insecure. That's the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country. While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices.

Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron's devices after they're installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass. There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. "Crestron has issued a fix for the vulnerabilities, and firmware updates are now available," reports Wired.

21 comments

  1. Crestron? by 110010001000 · · Score: 2

    Geez. They used to make electronics in the 1970s. That is pretty impressive they are still around.

    1. Re:Crestron? by Anonymous Coward · · Score: 1

      They're basically everywhere in school auditoriums and corporate boardrooms to control AV equipment.

    2. Re:Crestron? by 110010001000 · · Score: 2

      I think we have a couple where I work too. We better install the patches, otherwise hackers might view...our Powerpoints...

    3. Re:Crestron? by Anonymous Coward · · Score: 0

      In other words you work for a service-oriented company that doesn't have any trade secrets or Intellectual Property to protect. Got it.
      IT infrastructure outsourcing perhaps?

    4. Re:Crestron? by 110010001000 · · Score: 1

      No we have lots of trade secrets and IP. My gosh, if someone found out about it then they would take over our business. You know like...people who work for the company...we better get rid of them too.

    5. Re: Crestron? by Anonymous Coward · · Score: 0

      Iâ(TM)ve always found it mind boggling when people gather in conf rooms and hold confidential meetings...while surrounded by cameras and microphones.

  2. All hype by mtmra70 · · Score: 5, Informative

    I have programmed and support Crestron devices (among many other AV solutions) over the years (coming close to 20 years). This is all hype.

    Yes, you can open a web page on an embeded browser, you can send/view video streams, etc. But it is all very complex since their systems run proprietary code which has to be written then compiled in their editor. Then you have to load the code on the system, which mind you if you don't have the original source code you immediately break the room/system. And all of this assumes the Crestron(AV) system is not on its own vlan/control subnet. It's like saying a Linux box with a web cam sitting in a conference room can be used to spy on people....as soon as you write, compile and wipe the existing kernel/OS.

    Where is the Cisco article discussing how a "hacker" can open the web interface of a Cisco telepresence system and spy on conference rooms!?!?! Or make it answer an incoming call while overriding what the user in the room might otherwise deny?!?!? Oh wait, thats working as designed....

    1. Re:All hype by Anonymous Coward · · Score: 0

      I have programmed and support Crestron devices (among many other AV solutions) over the years (coming close to 20 years). This is all hype.

      Absolutely hype. No big deal. It's only root.

      Yes, you can open a web page on an embeded browser, you can send/view video streams, etc. But it is all very complex since their systems run proprietary code which has to be written then compiled in their editor. Then you have to load the code on the system, which mind you if you don't have the original source code you immediately break the room/system.

      Exactly, nothing to see here. Look at Windows, it's closed source and more watertight than Phil Swift's boats. Let me know when someone leaks the source to Android, then we might have a problem.

    2. Re: All hype by Anonymous Coward · · Score: 1

      You are vastly overestimating the amount of access this gives you.

      Additionally, not all of the TSW-xx60 units have cameras and microphones.

      As far as controlling the room, you essentially send encoded strings back to the processor over cip or scip. Every system is unique. You may have stumbled upon a panel that only adjusts volume for yoga studio.

      If you have access to this unit, you've already owned the network.

      These are trivially easy to secure and crestron provides (surprisingly) decent documentation for hardening the entire control system network.

      These panels are NOT the control system, they are an interface to the control system, and they can only trigger what's been programmed for that panel on that system.

      Even without the patch, three console commands lock down everything.

      I have roughly 13 years programming Crestron and my code exists in multiple systems for 3 of the large corporations listed in the article as clients of Crestron

    3. Re: All hype by Anonymous Coward · · Score: 0

      ah yes, the old *security through obscurity* argument. always a good distraction.

    4. Re:All hype by Anonymous Coward · · Score: 0

      So why are the 60-series TSW panels still using Android 4? If Crestron cared about its security, why use what is now an ancient operating system?

    5. Re: All hype by Anonymous Coward · · Score: 0

      I have roughly 13 years programming Crestron and my code exists in multiple systems for 3 of the large corporations listed in the article as clients of Crestron

      That may be, but it really doesn't matter. You don't disregard privilege escalation to literally fucking root as if it's nothing. That's ridiculously irresponsible in any scenario. And if you were such a pro as you're trying to imply, you would understand that.

  3. As an American my first though by rsilvergun · · Score: 1, Troll

    was Pee Tape. Yeah, it would be hard for a run of the mill hacker, but I'm guessing most folks don't expect their Hotel TV to spy on them. It would be a useful attack vector or an intelligence agency.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re: As an American my first though by Anonymous Coward · · Score: 0

      what could possibly be in a hotel room that is interesting enough to spy on?

  4. This feels more like déjà vu than news.. by Mnemennth · · Score: 3, Informative

    ...8 years ago they were still selling units running XP embedded ( I installed and serviced them). I saw at least a dozen easily exploited holes in their management procedures back then, and I'm not talking about outre' software & firmware hacks like we're seeing with all these IoT devices that everybody's all up in arms over... but just plain poor security implementation on a procedural and management level.

    That said, I've been out of the trade for several years now... while it's possible they've tightened up their ship, as sloppy as things were back then I find it hard to believe their gear is now inherently any more secure than a Chinese smartphone.

    Cheers,

    mnem
    Security of any sort in any large organization is more a matter of running around putting out brushfires than anything like actually sealing up a leak.

  5. He's not offensive, he's my brother by Anonymous Coward · · Score: 1

    Ricky Lawshae, an offensive security researcher at Trend Micro.

    I met Ricky Lawshae once, and I didn't find him particularly offensive. Rimshot.

  6. Would you like to know... by Anonymous Coward · · Score: 1

    ...who's also spying on your hotel rooms? Duck nuggers.

  7. Anything to shout "hackers!" by Anonymous Coward · · Score: 2, Insightful

    because how else are you getting attention for your "hacking" presentation on your "hacker" conference?

  8. Flexible bedside lamps by Anonymous Coward · · Score: 1

    I always thought those flexible bedside lamps that are built into the bedframe had built in cameras.