January 24, 2012
Security Company Discovers Videoconferencing Security Risk
At Rapid 7, a Boston based computer security firm, chief security officer HD Moore discovered a major security hole for many companies. These companies invest thousands of dollars each year on videoconferencing equipment that is left open to hackers. These companies include top venture capital and law firms, pharmaceuticals, oil companies and courtrooms, and even banks like Goldman Sachs´ boardroom.
Mike Tuchen, chief executive of Rapid 7, told the New York Times, “These are literally some of the world´s most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them.”
A decade ago, security for videoconferencing wasn´t as important. Old systems ran on expensive, closed high-speed phone lines. Modern equipment has made the switch to internet-protocol videoconferencing. These systems are typically designed for video and audio quality with security as a secondary concern.
Rapid 7 discovered these companies were investing in top-quality videoconferencing equipment, but they were being setup on the cheap. The most popular models by Polycom and Cisco cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away, according to the New York Times.
The security breach occurs when network administrators setup the units outside of the network firewall, instead of installing the more complicated gatekeeper. The units come pre-configured to automatically accept incoming calls, meaning anyone can dial in without receiver interaction and look around the conference room, or listen in. The only indication of an intrusion would be a small light on the camera or the sound of a moving camera.
According to Moore, “Many Polycom systems are sold, installed and maintained without any level of access security, with auto-answer enabled by default. It boils down to whether organizations are aware of the risk, and our research indicates that many , even well-heeled venture capital firms, were not aware and do not implement even the most basic of security measures.”
Moore discovered the security flaw after spending an afternoon writing a computer program that scanned the internet for open hardware. Within two hours he had remotely entered 5,000 wide-open conference calls. The program only scanned 3 percent of the internet, exposing a major security threat.
On the Net: