Latest Telepresence and Visual Collaboration News:
Teleconferencing Vendors Defend Product Security Features
January 25, 2012 | Hogan Keyser
H.D. Moore and Mike Tuchen revealed their research for security company Rapid7 on Monday, detailing how easily attackers can secretly spy on boardrooms where conferencing systems have been left open to receive calls from anyone by default.
The problem boils down to auto-answer, a feature in products from companies such as Cisco, LifeSize and Polycom that automatically connects incoming video or audio calls. Moore, who is chief security officer at Rapid7, wrote a program to scan for teleconferencing systems in which administrators left this feature enabled, a major security issue.
Moore's scan covered about 3 percent of the addressable internet and found 250,000 systems using the H.323 protocol, a specification for audio and video calls. Moore said he found more than 5,000 organizations had left auto-answer enabled in products from vendors including Polycom, Cisco, LifeSize and Sony. Overall, the findings mean up to 150,000 systems across the internet could be vulnerable, according to Rapid7.
Once inside a conference room, Rapid7 said that even cheap videoconferencing systems could allow a person to "read a six-digit password from a sticky note over 20 feet away from the camera."
"In an otherwise quiet environment, it was possible to clearly hear conversations down the hallway from the video conferencing systems," Moore wrote on Rapid7's blog. "A separate test confirmed the ability to monitor a user's keyboard and accurately capture their password, simply by aiming the camera and using a high-level zoom."
But if all of the security features of the various teleconferencing systems were enabled, Moore "couldn't imagine anyone would use the product to make a phone call" due to the complexity, he said in an interview.
For a comprehensive list of ways to protect your videoconferencing system from "videoconferencing hackers" and other mythical creatures, read David Maldow's excellent article: How to Defend Your Boardroom Against "Videoconferencing Hackers" and Other Mythical Creatures
Add New Comment
Telepresence Options welcomes your comments! You may comment using your name and email (which will not be displayed), or you may connect with your Twitter, Facebook, Google+, or DISQUS account.
20 March 2017 20 March 2017 17 March 2017
22 February 2017 2 February 2017 17 January 2017
See what happens when YouTube and TPO come together at the Telepresence Options YouTube Channel.