To Hack Or Not to Hack Video Conferencing Systems
Posted on Tue, Jan 31, 2012
The New York Times posted an article last week titled, “Cameras May Open Up the Board Room to Hackers”, which has been all the rage in the videoconferencing industry. A great deal of video conferencing equipment is connected to the Internet without a firewall or gateway and is configured to automatically answer incoming video calls. “Hackers” are able to monitor both audio and video information, often with little or no indication to the target. In this instance, the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems.
In 2003, HD Moore created a program called Metasploit which helps IT security professionals identify security issues, verify vulnerability mitigations, and manage security assessments. All Metasploit editions contain a scanner module for quickly identifying H.323-enabled systems that accept incoming calls. The researchers found the conference rooms by scanning the Internet for videoconference systems that were set up outside firewalls and configured to automatically answer calls.
In 2 hours this research covered about 3% of the addressable Internet and focused on equipment that spoke the H.323 protocol. Of the 250,000 systems identified with this service, just under 5,000 were configured to automatically receive incoming calls. There are an estimated 150,000 systems on the Internet as a whole affected by this issue. This does not count the hundreds of thousands of video conferencing systems exposed on the internal networks of large corporations.
Moore discovered conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers, a lawyer-inmate meeting room at a prison and a venture capital pitch meeting where a company’s financials were being projected on a screen.
A couple of examples of what the Rapid7 lab found during separate tests were: an easily readable six-digit password from a sticky note over 20 feet away from the camera and also read a user's email on their laptop screen.
Polycom, still ships most of their equipment with auto-answer configured by default. Other vendors, such as Sony, Tandberg (Cisco), Lifesize (Logitech), and Codian appear to require the user to specifically enabled auto-answer mode. Devices from each of these vendors were found during the course of the research, but they made up a much smaller portion of the whole compared to Polycom.
David Maldow, an associate editor at Telepresenceoptions.com wrote up quite the response in an article titled, “How to Defend Your Boardroom Against "Videoconferencing Hackers" and Other Mythical Creatures”. He said, “rather than hacking into the boardrooms, Rapid7 was simply calling them. These systems apparently answered some of their calls, as they were designed to do.”
He goes on explaining how difficult it is to “hack” into a room and not get noticed. If you did want to spy, your best bet would be to call into the room before the meeting started, and hope the monitor goes back to sleep before anyone gets into the room and the meeting starts. You would also have to hope that they were not planning on using the system, as they would immediately see that it was in a call as soon as they picked up the remote. Maldow created a list of "ifs" necessary to make this work...
-
IF - you can get the number in the first place
-
IF - the number you get happens to be anyone worth spying on
-
IF - it is an unsecured system and the call isn't blocked by a firewall
-
IF - the network doesn't redirect your call to a meet-me bridge
-
IF - the solution is set to auto answer
-
IF - the camera is pointed in the right place or controllable
-
IF - they don't have a lens cap on the camera
-
IF - the audio isn't muted (many systems answer with audio muted)
-
IF - you know when the meeting you want to spy on is going to happen
-
IF - no one notices you calling in
-
IF - the system isn't being used during the meeting
-
IF - no one notices the "in use" light on the system, camera, or mic
-
THEN - you might be able to spy on your random target
So was Rapid7 hacking into the boardrooms or was he simply calling the video conferencing systems, you be the judge.
Author: Julie Bertok