by Lisa Vaas
Security researcher Drew Green has pried open an internet-connected digital signage system thanks to a default admin web interface password: an easily changeable password that allowed him into the web interface, from where he stumbled onto a chain of vulnerabilities that could allow a malicious attacker to upload whatever unsavories they’d like to display on people’s signage screens.
On Friday, 90 days after Green says he disclosed the vulnerabilities to the digital signage system maker, he published the specifics.
He had pulled apart the signage system for a client during a full-scope penetration test, and this system happened to be on the network. He couldn’t find anything else to dig into, so Green sunk his hooks into the signage system, named Carousel, which comes from Tightrope Media Systems (TRMS) and which his client was running on a TRMS-supplied device that Green says is “essentially an x86 Windows 10 PC.”
As Green understands it, his client had a television in the lobby that was hooked up to the system in order to display information about the company: for example, when interns graduated college; names and pictures of new hires; and awards the company had received. The systems can also play audio, videos, or images: a good way to give customers their first impression when they’re visiting your company.
Or, on the other hand, a good way to sear visitors’ eyeballs if a hacker figures out how to upload whatever unsavories they like.
Poking around online, Green came across a vulnerability (CVE-2018-14573) on his client’s version of the system that allowed him to read system files. He tried to read protected files, such as the SQL database, but found that he couldn’t. What he could do, though, was to email a backed-up file to …
Author: Lisa Vaas