Security News > 2021 > June > Flaws in STEM Conference Room Speakerphone Can Be Exploited to Spy on Users
Vulnerabilities identified in the STEM Audio Table conference room speakerphone could be exploited by hackers for various purposes, including to eavesdrop on conversations, according to cybersecurity research firm GRIMM. The first identified issue is a stack-based buffer overflow in the function responsible for handling user requests for the device's "Local server" configuration option.
GRIMM's researchers discovered a command injection bug in the firmware update mechanism of the device, which is handled by a Python script that accepts user-supplied arguments.
Because the device could be controlled externally, an attacker could tamper with the update process by modifying URLs, usernames, and passwords, which would allow them to deliver a fake update to the device, thus achieving remote code execution.
"[VoIP] devices like the STEM Audio Table are essentially network-connected microphones.
"Such a foothold inside an organization provides a stable position for further network operations, data collection, and surveillance from a device that is unlikely to attract much attention. Without proper device isolation in the network, collected data can easily be exfiltrated over the Internet back to attackers."
Devices with automatic updates enabled should receive the patches immediately.