Meeting Owl Pro is a video conference device popular with colleges and universities. It captures 360-degree video and audio. It automatically focuses on whoever is speaking to make virtual participants feel more like a part of the team.  The console looks like a plastic owl.

However, these devices have serious security vulnerabilities which can expose users' personal information and compromise the networks they connect with. 

Issues include:

1. “The exposure of names, email addresses, IP addresses, and geographic locations of all Meeting Owl Pro users in an online database that can be accessed by anyone with knowledge of how the system works. This data can be exploited to map network topologies, and socially engineer or dox employees.  
2. The device provides anyone with access to it with the interprocess communication channel, or IPC, which it uses to interact with other devices on the network. This information can be exploited by malicious insiders or hackers who exploit some of the vulnerabilities found during the analysis  
3. Bluetooth functionality designed to extend the range of devices and provide remote control by default uses no passcode, making it possible for a hacker in proximity to control the devices. Even when a passcode is optionally set, the hacker can disable it without first having to supply it.  
4. The access point mode creates a new Wi-Fi SSID while using a separate SSID to stay connected to the organization network. By exploiting Wi-Fi or Bluetooth functionalities, an attacker can compromise the Meeting Owl Pro device and then use it as a rogue access point that infiltrates or exfiltrates data or malware into or out of the network.  
5. Images of captured whiteboard sessions — which are supposed to be available only to meeting participants — could be downloaded by anyone with an understanding of how the system works.” This issue has recently been addressed by the vendor.

Researchers from the security firm, modzero, first contacted the Owl Labs in mid-January to privately report their findings. As of June 6, 2022, the vendor has not yet fixed the most glaring vulnerabilities, leaving thousands of customer networks at risk. However, Owl Labs has acknowledged the four remaining bugs and outlined their planned fixes.

Turn Off Owl Devices to Protect Network Security

“The only advice that I have at the moment is to turn the [Meeting Owl] devices off until the Bluetooth-related vulnerabilities are mitigated,” modzero co-CEO Thorsten Schröder wrote in a direct message. “Disabling the Wi-Fi connection to the local network is not sufficient, as an attacker can turn it on again via Bluetooth. The Owls network must not have access to internal infrastructure.”

Practical Recommendations

• Remove Meeting Owl devices from home or campus networks until patches resolving all of these issues are released by the vendor.
• Stay informed about new patches to address these issues. New issues could also emerge. For instance, on June 8, 2022, Owl Labs released a patch fixing the AP-tethering mode issue (number 4 above).

This article summarizes the Meeting Owl Videoconference device article by Ars Technica. For more information, including the detailed security findings and the manufacturer's response, read the full article.

“The owls are not what they seem.” - Twin Peaks