[LINK] Videoconference systems

stephen at melbpc.org.au stephen at melbpc.org.au
Tue Jan 24 02:02:14 AEDT 2012 

Cameras May Open Up the Board Room to Hackers

By NICOLE PERLROTH  www.nytimes.com  Published: January 22, 2012 (snip) 

"The auto-answer feature is enabled by default (so) that anyone can dial 
in and listen and look around a room"


SAN FRANCISCO — One afternoon this month, a hacker took a tour of a dozen 
conference rooms around the globe via equipment that most every company 
has in those rooms; videoconferencing equipment.

With the move of a mouse, he steered a camera around each room, 
occasionally zooming in with such precision that he could discern grooves 
in the wood and paint flecks on the wall. With such equipment, the hacker 
could have easily eavesdropped on privileged attorney-client 
conversations or read trade secrets on a report lying on the conference 
room table. 

In this case, the hacker was HD Moore, a chief security officer at 
Rapid7, a Boston based company that looks for security holes in computer 
systems. His latest find: videoconferencing equipment is often left 
vulnerable to hackers. 

Businesses collectively spend billions of dollars each year beefing up 
security on their computer systems and employee laptops. But rarely do 
they give much thought to the ease with which anyone can penetrate a 
videoconference room where their most guarded trade secrets are openly 
discussed. 

Mr. Moore has found it easy to get into several top venture capital and 
law firms, pharmaceutical and oil companies and courtrooms across the 
country. He even found a path into the Goldman Sachs boardroom. “The 
entry bar has fallen to the floor,” said Mike Tuchen, chief executive of 
Rapid7. “These are literally some of the world’s most important 
boardrooms — this is where their most critical meetings take place — and 
there could be silent attendees in all of them.” 

Ten years ago, videoconferencing systems were complicated and erratic, 
and ran on expensive, closed high-speed phone lines. Over the last 
decade, videoconferencing — like everything else — migrated to the 
Internet. 

Now, most businesses use Internet protocol videoconferencing to connect 
with colleagues and customers. Most of these new systems were designed 
with visual and audio clarity — not security — in mind. 

The most popular units, sold by Polycom and Cisco, can cost as much as 
$25,000 and feature encryption, high-definition video capture, and audio 
that can pick up the sound of a door opening 300 feet away. But 
administrators are setting them up outside the firewall and are 
configuring them with a false sense of security that hackers can use 
against them. 

Whether real hackers are exploiting this vulnerability is unknown; no 
company has announced that it has been hacked. (Nor would one, and most 
would never know in any case.) But with videoconference systems so 
ubiquitous, they make for an easy target. 

It certainly would not be the first time hackers had exploited holes in 
office hardware. After a security breach at the United States Chamber of 
Commerce last year, the Chamber discovered that its office printer, and 
even a thermostat in a Chamber-owned apartment, had been communicating 
with an Internet address in China. 

But with videoconferencing, companies have seemingly gone out of their 
way to make themselves vulnerable. 

New systems are outfitted with a feature that automatically accepts 
inbound calls so users do not have to press an “accept” button every time 
someone dials into their videoconference. The effect is that anyone can 
dial in and look around a room, and the only sign of their presence is a 
tiny light on a console unit, or the silent swing of a video camera.

Two months ago, Mr. Moore wrote a computer program that scanned the 
Internet for videoconference systems that were outside the firewall and 
configured to automatically answer calls. In less than two hours, he had 
scanned 3 percent of the Internet. 

In that sliver, he discovered 5,000 wide-open conference rooms at law 
firms, pharmaceutical companies, oil refineries, universities and medical 
centers. He stumbled into a lawyer-inmate meeting room at a prison, an 
operating room at a university medical center, and a venture capital 
pitch meeting where a company’s financials were being projected on a 
screen. 

Among the vendors that popped up in Mr. Moore’s scan were Polycom, Cisco, 
LifeSize, Sony and others. Of those, Polycom — which leads the 
videoconferencing market in units sold — was the only manufacturer that 
ships its equipment — from its low-end ViewStation models to its high-end 
HDX products — with the auto-answer feature enabled by default. 

In an e-mail, Shawn Dainas, a Polycom spokesman, said the auto-answer 
feature had several safety elements built in that could be activated by a 
customer, including password protections, auto-mute and camera control 
lockup, adding that Polycom also offered a camera lens cover. He said 
the “security levels have been designed to make it easy for our customers 
to enable security that is appropriate to their business.”  

Of the Polycom videoconference systems that popped up in Mr. Moore’s 
scan, none blocked control of the camera, asked for a password or muted 
sound. 

“Many Polycom systems are sold, installed and maintained without any 
level of access security, with auto-answer enabled by default,” Mr. Moore 
says. “It boils down to whether organizations are aware of the risk, and 
our research indicates that many, even well-heeled venture capital firms, 
were not aware and do not implement even the most basic of security 
measures.” 

Mr. Tuchen of Rapid7 said that as a short cut, businesses put their 
videoconference systems outside the firewall, allowing them to receive 
calls from other companies without having to do any complex network 
configuration. The safer way to receive calls from other companies, Mr. 
Tuchen said, is to install a “gatekeeper” that securely connects calls 
from outside the firewall. But, this process “is complex to configure 
properly,” he said, and “is often skipped.” 

In some cases, Mr. Moore discovered he could leap from one open system 
into its address book and dial into the conference rooms of other 
companies, even those companies that put their system behind the 
firewall. 

That was the case with Goldman Sachs. The bank’s boardroom did not show 
up in Mr. Moore’s initial scan but an entry labeled “Goldman Sachs Board 
Room” popped up in the directory of a law firm that Goldman Sachs 
videoconferences with. Mr. Moore did not disclose the name of the law 
firm and said that because he was afraid of “crossing a line,” he did not 
dial into Goldman Sachs. 

Said Mr. Tuchen, “Any reasonably computer literate 6-year-old can try 
this at home.” 
--

Cheers,
Stephen

More information about the Link mailing list