Saturday, December 12, 2009

Wiretapping a Video Teleconference

John Kindervag discusses video teleconferencing wiretapping...
"Now while this technology has some real business value there are also inherent security flaws in video conferencing systems running across a corporate network. Because these internal networks are rarely, if ever, encrypted, it is possible to perform an eavesdropping attack on TelePresence or any other similar videoconferencing system.

Recently I was lucky enough to attend a hands-on VoIP and UC hacking class at VIPER Lab VIPER is run by my good friend and former colleague, Jason Ostrom. Jason and his team have been instrumental in developing new research and tools related to voice over IP (VoIP) and unified communications (UC) security. Their live distro VAST is available on SourceForge and contains several ground-breaking UC security tools.

Using one of the tools UCSniff I was able to recreate a scenario similar to the 30 Rock episode and intercept and view a live videoconference in real time. Here is a screenshot showing the UC Sniff tool intercepting a video call between Jason and me:


Anyone with access to your network can use this tool to eavesdrop on your voice or video conversations. This is why VoIP and UC security is so critical. Any unencrypted call is susceptible to this attack. Imagine that your employees can now listen in as your CEO discusses potential mergers or acquisitions. The risks are real but UC security is often overlooked." (more)