While the recent findings do not pertain to Mersive’s Solstice family of products, one of our competitors has been singled out for security vulnerabilities for the second time this year. Independent researcher F-Secure, who performed the most recent analysis and published the results on December 16th 2019, identified a dozen security vulnerabilities which were found in the base station, USB dongle and client software. While the vendor has now taken steps to address the most serious issues, the F-Secure report states that several of the flaws can only be fixed through physical maintenance and are unlikely to get patched.
As we did earlier this year when this vendor and several others were identified as having security vulnerabilities, we want to inform you that Mersive Solstice is not affected by these vulnerabilities and to provide guidance as to what all of this means including the steps we take on a continuous basis to ensure security is a top priority.
- Fundamentally, the issues discovered in this most recent report stem from the use of insecure, off-the-shelf protocols in the software, an architecture that stores sensitive documents, and a hardware vulnerability related to a system chip on the host unit that provides users with root access to the system;
In the case of insecure software, the affected units support command injection that can provide access to the unit to install new software or run commands with elevated privileges. The Solstice Pod does not make use of the impacted C runtime libraries that are being used to inject commands into this vendor’s unit operating system. In addition, the Solstice Pod is equipped with a strict whitelisting algorithm that will only allow a pre-defined set of known and secure commands to be run with elevated privileges. Furthermore, if the Pod is connected to a network that may involve insecure users (a guest network, for example) all configuration traffic can be disabled from this network.
- In the case of the hardware-based vulnerability, Mersive does not make use of the impacted chipset. We do not ship units that can be rooted through the use of a JTAG interface or other debugging tools. Physical access to the Pod will not allow an attacker to gain root access to the system.
- Finally, we do not store user content on the Pod. All shared user content including App windows, desktops, Miracast streams, and iOS mirroring streams are encoded as a transient video stream that is encrypted and then transmitted to the Pod for decoding. Video streams are decoded into volatile memory only and user content is not sent to or stored on the Pod.
As a network connected software product, Mersive has always taken enterprise security very seriously and is in constant dialog with our corporate and education customers who subject our products to the most rigorous testing in the industry. We run multiple third-party penetration tests every year and perform ongoing monitoring of each Solstice release. A complete picture of our security profile is available under NDA in a secure data portal. This portal contains all previous testing results, our 24-hour response policy, and a document that outlines security-focused features that have been built into our software but are not communicated to the general public. If you’d like to learn more, please contact us for access to this information.
Finally, it’s important that you ensure that your Solstice deployment has been configured according to the Baseline Security Standard. While we do everything we can to ensure the product is security hardened, it’s important that it is deployed with security best practices in mind.
Of course, if you or your network security team have questions, please contact us directly and we’d be happy to discuss our security profile in detail.
TOPdesk, a service management expert, and GoBright, a software developer for room booking, desk booking and visitor management, announce a new partnership.
The AV News has just announced the finalist of AV news awards 2020. GeoBox G413 is nominated and in the finalist of the category- Digital signage innovation of the year. G413 allowing users to control multiple videowall displays at any angle (ie, not just 90, 180 or 270 degrees), without the need for additional software, the GeoBox G413 is unique to the market. No other solution allows unlimited angles without a separate software application; the G413 is a 100% one-box processor.