OWL Labs, which makes 360-degree video conferencing equipment for classrooms and boardrooms, is telling its customers to patch a number of vulnerabilities, including one that allows people to connect to meetings over Bluetooth without a passcode.
The company, which claims to have more than 2,000 education customers across K-12 and higher ed, announced software updates Friday and Monday targeting how its hardware connects to wireless networks and shares data, with more updates on the way. The U.S. Cybersecurity and Infrastructure Security Agency also issued an alert Tuesday instructing users to update their OWL Labs devices.
The software updates were issued after independent researchers claimed to find vulnerabilities that could leave data and screenshots open to attackers, Ars Technica reported Thursday. OWL Labs produces several pieces of hardware, including the Meeting OWL, a speaker fitted with cameras, microphones and an owl-like face, and a whiteboard camera for hybrid meetings.
The updates cut off some functions in order to secure network access through the internet-connected speakers. For example, the devices can no longer be used as a wireless access point. The company also paused its “Whiteboard Share and Save” function, which captured whiteboard notes, and deleted all data from March 2022.
“The likelihood that our customers have been affected by these issues is low, but we wanted to bring to your attention in the effort of full transparency,” read a blog post from OWL Labs cofounder Mark Schnittman.
After addressing these “high-security” issues, the company is now working on vulnerabilities related to when users need to use passcodes for the speaker. One vulnerability is that a user does not need to enter a passcode to connect to the Meeting OWL speaker through Bluetooth.
“The Owl PIN issues are low risk and would allow someone to access per-meeting default-meeting settings only … and require them to be within Bluetooth range,” Schnittman wrote, adding that the company also employed third-party security testing. “We expect to resolve the above issues in the next few weeks and will communicate when completed.”
The passcode issue was one of the vulnerabilities that posed particular concern to Miami University in Oxford, Ohio, which posted a message Friday asking users only to use OWL devices when necessary and to unplug them after meetings. The university’s IT team reposted the message on Twitter on Tuesday.
Higher education has long been one of OWL Labs major industries, but the company markets widely to companies, government agencies and courtrooms, claiming more than 100,000 organizations use its technology.