2 min

The device poses a threat to users as well as any network it connects to.

This week Ars Technica reported on a major security risk posed by a popular videoconferencing device used by governments and corporations.

The Meeting Owl Pro is a videoconference device with an array of cameras and microphones that captures 360-degree video and audio and automatically focuses on whoever is speaking to make meetings more dynamic and inclusive. The consoles, which are slightly taller than an Amazon Alexa and bear the likeness of a tree owl, are widely used by state and local governments, colleges, and law firms.

A recently published security analysis has concluded the devices pose an unacceptable risk to the networks they connect to and the personal information of those who register and administer them.

Researchers from modzero AG, a Switzerland- and Germany-based security consultancy, discovered the threats while conducting an analysis of videoconferencing solutions on behalf of an unnamed customer.

As modzero dug into the device features, it quickly discovered that the details customers enter during the enrollment phase and the most recent connections that follow are stored in a database hosted on the Internet. No password is required to access the data. Instead, all that’s needed is a valid Meeting Owl serial number.

Patch available

In mid-January, the firm first contacted Meeting Owl-maker Owl Labs of Somerville, Massachusetts, to privately report their findings. On June 3 and June 6, Owl Labs launched patches for the most serious vulnerabilities. The updates are applied automatically to every Meeting Owl device with an internet connection. Some risks remain. Owl Labs is currently working on a fix for the remaining issues: CVE-2022-31463, CVE-2022-31462, CVE-2022-31461 and CVE-2022-31459.

Also read: Zoom vs Google Meet vs Microsoft Teams vs Webex Meetings vs BlueJeans.