Crestron Touchscreens Could Spy On Hotel Rooms, Meetings

An anonymous reader quotes a report from Wired: The connected devices you think about the least are sometimes the most insecure. That’s the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country. While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices.

Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron’s devices after they’re installed might not even know such protections exist, let alone how crucial they are. Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass.

There were also over two dozen other vulnerabilities that could be exploited to do things like transform them into listening devices. In addition to being able to remotely record audio via the microphones to a downloadable file, Lawshae was also able to remotely stream video from the webcam and open a browser and display a webpage to an unsuspecting room full of meeting attendees. “Crestron has issued a fix for the vulnerabilities, and firmware updates are now available,” reports Wired.