SPARK: Exposing Vulnerabilities in Collaborative Display Systems and Session-Key Exposure
DOI:
https://doi.org/10.34190/iccws.20.1.3373Keywords:
Solstice Pods, session key retrieval, certificate configuration, self-signed certificatesAbstract
This study investigates the vulnerabilities of Solstice Pods, wireless collaboration devices often used in academic environments, focusing on universities with publicly exposed devices. We analyzed 22 universities, each with 10 or fewer Solstice Pods exposed on Censys.io, a platform for identifying publicly exposed devices. This subset was selected to emphasize vulnerabilities in smaller, publicly exposed systems, without excluding large institutions that may have only a few devices exposed. Our research centers on unauthorized access to device configuration pages and the retrieval of live session keys, which are critical for screen sharing. From 81 exposed Solstice Pods, we manually examined several IP addresses and found that critical configurations, including screen-key disabling, password changes, and session key retrieval, were accessible in some cases. To scale testing, we developed the Solstice Pod Access Retrieval Key (SPARK), a Python tool using SSL/TLS requests to interact with the devices' configuration pages. The SPARK tool successfully generated live session keys in 13 instances across 9 universities, while 68 attempts failed. Statistical analysis revealed that self-signed certificates (issued by Mersive, the Solstice Pod vendor) significantly reduced vulnerability to the SPARK tool, with a success rate of 8.33% for devices using self-signed certificates, compared to 63.89% for those with non-self-signed certificates. To assess the statistical significance of this difference, Chi-square and Fisher’s exact tests were performed, yielding p-values of 0.0464 and 0.0231, respectively. Additionally, a proportions test showed a highly significant result with a p-value of 0.00077. This study underscores the risks of publicly exposed Solstice Pods and highlights the real-world consequences of these vulnerabilities. If exploited, these vulnerabilities could lead to unauthorized access to sensitive data, disruption of university operations, and compromise of ongoing academic collaborations. The findings call for stronger security measures, particularly the use of self-signed certificates, to reduce vulnerabilities and protect sensitive information in these devices.
Downloads
Published
Issue
Section
License
Copyright (c) 2025 Emerson Darlington, Fanxing (Amy) Fei, Isabelle Feigenberg, Marissa Gist, Sana Goyal, Sabine Kim, Nikoletta Kuvaeva, Audrey Lawler, Huanyan (Hanne) Li, Claire Lu, Yige (Yoyo) Lu, Laura Messamore, Rachel Mirin, Stella Mrockowski, Hanna Shevade, Whitney Shissler, Olivia Stankiewicz-Goldsmith, Kyla Walker, Yanzi (Ruby) Zeng, Thomas Heverin
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
