Cybersecurity firm F-Secure has discovered several exploitable vulnerabilities in a popular wireless presentation system that could allow an attacker to manipulate information during presentations, steal passwords and other sensitive information, and even install backdoors and other malware. The company discovered vulnerabilities in Barco's ClickShare wireless presentation system, a collaboration tool that allows users to present content from a variety of devices. F-Secure Consulting senior consultant Dmitry Janushkevich said the popularity of the easy-to-use tools made them perfect targets for hackers, saying: "The system is so convenient and easy to use that people don't see a reason to to suspect. But their deceptive simplicity hides extremely complex inner workings, and that complexity makes security difficult. Everyday objects that people trust without a second thought are the best targets for attackers, and because these systems are so popular with businesses, we decided to push it forward and see what we could learn."
Barco ClickShare
Janushkevich and his colleagues at F-Secure Consulting began investigating the ClickShare system on an ad hoc basis for several months after noticing its popularity during red team testing. The team discovered several exploitable vulnerabilities, 10 of which have CVE (Common Vulnerabilities and Exposures) identifiers. These different issues have facilitated a wide variety of attacks, including the interception of information shared through the system, the use of the system to install backdoors, or other malware. on users' computers and the theft of information and passwords. Exploitation of certain vulnerabilities requires physical access, but F-Secure's consulting also discovered that others can be executed remotely if the system uses its default settings. According to Janushkevich, executing exploits on Barco ClickShare can be quickly performed by a skilled attacker with physical access (possibly posing as a cleaner or office worker), allowing them to discreetly compromise the device. F-Secure Consulting shared its research with Barco in November and the two companies worked together in a coordinated outreach effort. Barco has released a firmware update on its website to mitigate the most critical vulnerabilities, although many of the issues involve hardware components that require physical maintenance to resolve and are unlikely to ever be fixed.