The STEM Audio Table conference-room speaker has a security vulnerability that would allow unauthenticated remote code execution (RCE) as root – paving the way for eavesdropping on conversations, denial of service, lateral movement throughout enterprise networks and more.
And, there are multiple additional security issues as well, according to GRIMM researchers, all of which would allow an attacker to interfere with the device.
The STEM Audio Table is a high-end, nine-speaker smart device, shaped like a large puck, that sits on a conference table to enable whole-room conferencing. It can also be used with other devices to, say, enable video calls. It sports a web-based control interface and connects via the internet to download firmware updates.
“Modern business often relies heavily on the Internet and software resources such as Zoom or Skype to support daily operations. Use of such systems often requires additional hardware resources like microphones and cameras,” researchers noted. “What were once mechanical or analog devices are now increasingly being redesigned with embedded processors. This change in direction implies that what seem like ordinary commodity devices are, in fact, reasonably capable computing machines with attack surfaces very similar to traditional PCs.”
RCE Security Bugs
GRIMM said that the RCE bug is a stack-based buffer overflow issue, located in the “local_server_get() and sip_config_get() in stem_firmware_linux_2.0.0.out” function.
The local_server_get function is responsible for handling user requests to retrieve the “local server” device-configuration option.
“This is done by first requesting that the device set this option to a user-controlled value, followed by an inquiry on what that value is,” researchers explained in a posting this week. “The storage container for this setting is much larger than the stack buffer size allotted for it while preparing the response packet that will be returned to the user. As such, the contents of the retrieved configuration value will spill onto the surrounding stack due to the use of sprintf [a C+ library function] to unsafely copy the data contents.”
A similar buffer-overflow issue is present in the handlers responsible for getting and setting Session Initiation Protocol (SIP) configuration options, according to GRIMM.
“The function execution flow of sip_config_get is identical to local_server_get, and so the same exploitation pattern as described above can be used,” researchers explained. “The pattern of using sprintf or strcpy is used very often in this binary and, as such, likely provides many more buffer-overflow opportunities.”
In both cases, attackers would be able to deploy whatever payload they choose, be it spyware, ransomware, a botnet client or other malware.
Other Security Issues in STEM Audio Table
GRIMM found another security hole that would allow command injection and the ability to execute arbitrary code as root on the device, located in the “system_update_now() in stem_firmware_linux_2.0.0.out” function.
“The firmware update mechanism is handled by a Python support script that runs with user-supplied arguments,” according to the analysis. “The system_update_now function handler is responsible for invoking this script…No sanitization is performed on these arguments (‘url’, ‘user’ or ‘password’) before invoking system to start the Python interpreter. The origin of these three parameters is the entirely user-controlled ‘local server’ device configuration option.”
Also concerning is the fact that no authentication is required to use the device’s control interface, which is a web-based GUI.
“Any operation the GUI was capable of, and more, could be remotely executed without knowing the organization password,” researchers noted. “Further, if the current password were desired, one need only ask with a special use of the STEM_ORG_LEAVE_REQ command. Altogether, the device can be completely controlled through this unauthenticated interface.”
Some of the commands that an attacker could execute through the control interface include factory resets, reboots, checking for updates and choosing an update server URL. As such, attackers would be able to point the device to a fake update server that they control and to forge an update that could execute attacker-controlled scripts, thereby achieving RCE.
But that’s not all: The way the device handles encryption is also problematic, according to GRIMM. While the communication between the STEM Audio Table and the web GUI is occasionally encrypted, the use of it isn’t enforced: Any command can be sent in plaintext, and the device will handle the request.
“Additionally, due to an oversight by developers, the private key associated with the encrypted data is freely available in the firmware update packages,” researchers said. “In fact, it can even be downloaded directly from the device. Network traffic is easily decrypted after acquiring this private key.”
And finally, the device lacks user isolation: All services on the STEM Audio Table run as root, meaning that an exploited vulnerability in any component of the device can provide execution “in the context of the most privileged user on a Linux machine.”
Versions 2.0.0 – 2.0.1 are impacted. STEM’s parent company, Shure, has issued a patch in version 220.127.116.11 of the firmware, so users should make sure their devices are updated. CVEs are pending for all the bugs.
Internet of Things Continues to Threaten Enterprises
The STEM Audio Table is just the latest internet-of-things (IoT) device to open the door to adversaries via glaring security vulnerabilities.
“While GRIMM’s research efforts targeted this particular device, the vulnerabilities and design flaws identified by GRIMM follow similar patterns to vulnerabilities discovered in other networked video teleconferencing (VTC) devices throughout the small commodity hardware industry,” researchers explained. “As such, similar issues are undoubtedly present in related devices such as VoIP phones, network-connected cameras, and many smart devices that are part of the IoT space.”
To mitigate some of the risk, organizations should always research the IoT devices they select, looking for any security histories for either the devices themselves or the vendors. This can be done through manufacturer-specific security advisories, public security advisories or blog posts from security researchers, GRIMM noted.
Once a device is deployed, enterprises can also shore up basic security hygiene practices to protect themselves, like employing network segmentation and isolation, and changing any default passwords.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!