Clickshare, a Barco presentation tool, contains various vulnerabilities. This allows a hacker to watch during presentations or even hack the presentation PC.
Clickshare Button van Barco © F-Secure
The vulnerabilities have been discovered by the Finnish cyber security company F-Secure, which already informed Barco in early October. The Belgium technology company is now introducing a firmware update itself, although it is unclear whether it will solve all problems.
Clickshare is a dongle (‘button’) that automatically connects to a device that is connected to a beamer or television. The dongle then shares your presentation on the big screen by setting up a closed WiFi network between sender and receiver.
F-Secure discovered several vulnerabilities in Clickshare, in total there are 10 CVEs (unique identification numbers of vulnerabilities). The good news is that almost all of them required physical access to the Clickshare devices, but not in one scenario. Examples: CVE-2016-3151 CVE-2016-3149 check the remaining via this website.
Common Vulnerabilities and Exposures (CVE) is a catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.
“Our tests’ primary objectives were to backdoor the system so we could compromise presenters, and steal information as it is presented,” said J Prof. Jansen. “Although cracking the perimeter was tough, we were able to find multiple issues after we gained access, and exploiting them was easy once we knew more about the system. For an attacker, this is a fast, practical way to compromise a company, and organizations need to inform themselves about the associated risks.”
“If a company uses the Clickshare default settings without following Barco’s recommendations, it is enough to be close to the meeting room to intercept everything that is presented,” explains Prof. Jansen, principal security specialist.
In the other cases, physical access is needed, but according to Prof. Jansen, that only has to be very short to infect the device. Subsequently, the data sent can be intercepted, or more harm can be done. “Certainly, in meeting rooms there are a lot of strangers: guests, cleaning staff, as soon as they have access to the device it can happen.”
Once the Clickshare button can be infected, the door is also open to place malware on it that can infect the PC. For the sake of clarity, this is a separate infection that is separate from Clickshare. But just because it is a device that is connected without much suspicion, there is a risk.
“That’s just like a USB stick, as soon as you plug it in, drivers are loaded on the device. Replace it with malware and you have access to someone’s PC. You could also send a Clickshare button to a company with the message that it is a replacement piece. There is a good chance that it will automatically end up in a meeting room. “
F-Secure does not know to what extent Barco’s firmware update solves all problems. The security company notes that some of the problems discovered are related to hardware components that cannot be resolved with a software update. “But that doesn’t necessarily make the device unusable. Barco may still be able to maneuver itself around those hardware obstacles.”
Prof. Jansen does not want to say that Barco’s Clickshare by definition has poor security. He points out that a user-friendly device with various components offers many options for hackers. “Security is a shared responsibility between manufacturer and end-user. One must make the product as safe as possible, but the end-user should not use it in environments that may involve risks.”