Owl Labs Update

Update as of July 22, 2022

On July 22, 2022, Owl Labs launched the latest release in our recent series of security updates. With the 5.4.3.4 software release, all recently identified security vulnerabilities have now been addressed. In this release, you’ll find: new encryption layer to protect firmware data and secured Mobile Refresh updates.

If your Meeting Owl (Pro or 3) is connected to Wi-Fi, you will automatically receive this update after midnight local time today. If you’d like to apply the update immediately, here are detailed instructions on how to manually update your Meeting Owl.

Security is an ongoing effort and central to how we operate at Owl Labs. More to come from us, but know you’ll always receive transparency and swift action when it comes to any identified vulnerability. More information and updates above can be found in our release notes and privacy and security hub.

Update as of June 23, 2022

Today, June 23, 2022, Owl Labs released the latest software update 5.4.2.3 in reference to recent security issues that were identified.

These updates include:

The Passcode Is Not Required for Bluetooth Command (CVE-2022-31463)
Hard Coded Backdoor Passcode (CVE-2022-31462)
Deactivation of Passcode Without Authentication (CVE-2022-31461)
Passcode-Hash Can Be Retrieved via Bluetooth (CVE-2022-31459)

As of today, all outstanding CVE IDs have been resolved. Note: CVE ID (CVE-2022-31460) was resolved on June 6, 2022.

Owl Labs is committed to ensuring our products are secure, and continues to make security a top priority. More updates to come, and updates above can be found in our release notes and privacy and security hub.

Original Update from June 6, 2022

Following our communication on Friday, June 3, we have rolled out a new software release with important security updates. As of today at noon EDT, a second release is available.

Today's release, 5.4.1.4, includes the following update:

Disabled the passthrough of networking traffic in Wi-Fi AP tethering mode so that the Meeting Owl cannot be used as a wireless access point (referencing CVE-2022-31460).

If your Meeting Owl Pro is connected to Wi-Fi, you should have automatically received the first update (5.4.0.15), and Meeting Owls that are online will automatically update with the second release after midnight local time today. If you’d like to apply the update immediately, here are detailed instructions on how to manually update your Meeting Owl.

We want to assure our customers that all high-security issues have been addressed. Now, Owl Labs is in the process of implementing a few additional updates.

Upcoming updates will address the associated CVE IDs, which are related to the Meeting Owl Pro’s PIN (referred here as passcode):

The Passcode Is Not Required for Bluetooth Command (CVE-2022-31463)
Hard Coded Backdoor Passcode (CVE-2022-31462)
Deactivation of Passcode Without Authentication (CVE-2022-31461)
Passcode-Hash Can Be Retrieved via Bluetooth (CVE-2022-31459)

To be clear, once software version 5.4.1.4 is applied, there is no risk of unauthorized network access due to the above CVEs. The Owl PIN issues are low risk and would allow someone to access per-meeting default-meeting settings only (for example: Presenter Enhance, 360-degree Pano on/off), and require them to be within Bluetooth range. We expect to resolve the above issues in the next few weeks and will communicate when completed.

Our commitment to you, our customers.

We are working with a 3rd party penetration testing company to continue to test these issues, and everything we build going forward.
We will continue to send consistent communications on our progress.
We are here and happy to answer any concerns or questions that you may have. These technical updates can be complicated, and we want to help navigate.

More to come. As always, don’t hesitate to reach out with any questions or concerns.

_Mark Schnittman, Cofounder and CTO, Owl Labs