December 17, 2019

This popular presentation tool has some major security flaws

By Tech Online Things

The cybersecurity firm F-Secure has discovered several exploitable vulnerabilities in a popular wireless presentation system the could allow an attacker to manipulate information during presentations, steal passwords and other sensitive information and even install backdoors and other malware.

The firm found the vulnerabilities in Barco’s ClickShare wireless presentation system which is a collaboration tool that allows users to present content from a variety of devices.

Senior consultant at F-Secure Consulting, Dmitry Janushkevich explained that the popularity of user-friendly tools makes them the perfect targets for hackers, saying:

“The system is so practical and easy to use, people can’t see any reason to mistrust it. But its deceptive simplicity hides extremely complex inner workings, and this complexity makes security challenging. The everyday objects that people trust without a second thought make the best targets for attackers, and because these systems are so popular with companies, we decided to poke at it and see what we could learn.”

Barco ClickShare

Janushkevich and his colleagues at F-Secure consulting then began researching the ClickShare system on-an-off for several months after noticing how popular it was during red team assessments. The team discovered multiple exploitable flaws, 10 of which have CVE (Common Vulnerabilities and Exposures) identifiers.

These different issues facilitated a wide variety of attacks including intercepting information shared through the system, using the system to install backdoors or other malware on users’ computers and stealing information and passwords. Exploiting some of the vulnerabilities requires physical access but F-Secure consulting also found that others can be executed remotely if the system uses its default settings.

According to Janushkevich, the execution of the exploits in Barco ClickShare can be done quickly by a skilled attacker with physical access (possibly while posing as a cleaner or office worker), allowing them to inconspicuously compromise the device.

F-Secure Consulting shared its research with Barco back in November and the two companies then worked together in a coordinated disclosure effort. Barco has now published a firmware update on their website to mitigate the most critical vulnerabilities though several of the issues involve hardware components that require physical maintenance to address and are unlikely to get fixed.