Monday, January 23, 2012

Security Director Alert: Eavesdropping via Video Teleconferencing

Covertly eavesdropping on boardroom chit chat using the teleconferencing system is not new. We've been demonstrating (and correcting) this problem for our clients for years. The vulnerability, however, has finally received some publicity. 
Result: Expect more attempts to access video teleconferencing systems.
Recommendations: Turn off the autoanswer feature on your teleconferencing system. Make sure your system is behind a firewall.

FREE offer: The full Murray Associates Video Teleconferencing Security Checklist is available to corporate security directors (only) at no charge. Contact me here.

via The New York Times...
One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment...the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems...Mr. Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country...

“These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.” 

New systems are outfitted with a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera. 

Two months ago, Mr. Moore wrote a computer program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he had scanned 3 percent of the Internet. 

In that sliver, he discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers. He stumbled into a lawyer-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital pitch meeting where a company’s financials were being projected on a screen. 

Among the vendors that popped up in Mr. Moore’s scan were Polycom, Cisco, LifeSize, Sony and others. Of those, Polycom — which leads the videoconferencing market in units sold — was the only manufacturer that ships its equipment — from its low-end ViewStation models to its high-end HDX products — with the auto-answer feature enabled by default. (more)