In October 2019, ethical hackers from Finnish cyber security company F-Secure reached out to Barco and shared that, after months of investigation, they had found access to our ClickShare solution. A tough time for Barco and our ClickShare product development team in particular. But every obstacle is an opportunity to do better.
F-Secure pointed the development team to a number of software and hardware vulnerabilities in ClickShare. While the team was able to quickly solve the bulk of the software issues, it was much harder to deal with the hardware part. One critical vulnerability could be attributed to an external supplier of electronics for the ClickShare Button and Base Unit.
At any rate, the ethical hackers had gone to great lengths: they had spent months to hack the product, and they had to open the unit and solder out components to get to the electronics.
Although Barco had not received any reports of units being affected by the vulnerabilities, the issue was made public on 16 December 2019.
“When we received the news from F-Secure in October, we immediately took the matter seriously,” says David Martens (Product Security Architect). “We realized that the best thing to do was to stay humble and tackle the problem head on. And so we did. We have stringent ISO-certified software development processes in place that help us go through the necessary steps to respond to identified threats.”
A software upgrade was released on 13 December 2019, making unauthorized access to a ClickShare unit even harder. With the new update, hackers will at least need to physically access the Base unit. This means entering a company building and then tampering with the unit (via soldering). They cannot do this quickly. Sending a phishing mail is probably safer and easier.
“As software developers, we need to be open and honest to our customers: there is no such thing as 100% security,” says David. “However, we can “safely” claim to continuously work on product security and to make it as hard as possible for hackers to do harm.”
The priority of the ClickShare product team was to release new firmware, patching the vulnerabilities that could lead to unauthorized access. The team also worked together with the external electronics supplier for some of the hardware related vulnerabilities. Through a strategy of ‘defense in depth’, the ClickShare team has built multiple layers of security into the product, aiming at discouraging hackers to go through the trouble.
In any case, the news about ClickShare has put cyber security even higher on the agenda at Barco. “It reminds us that we continuously have to raise the bar for cyber security,” says David. “Only then can we be one step ahead of potential hackers.”
For the smoothest and safest experience, we strongly recommend updating your ClickShare units to the latest ClickShare firmware.