Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Corporate Video Conferencing Systems Fail Secure Implementation

State of the art teleconferencing equipment is a must for most organizations today but few have installed it correctly, according to researchers at Rapid 7. The security company reported on Monday that conference boardrooms around the world were vulnerable to hacking. H.D.

State of the art teleconferencing equipment is a must for most organizations today but few have installed it correctly, according to researchers at Rapid 7. The security company reported on Monday that conference boardrooms around the world were vulnerable to hacking. H.D. Moore, Rapid 7′s chief security officer and creator of Metasploit, said he found 5,000 wide-open conference rooms just within a 2-hour scan of the Internet. Conference rooms “visited” by Moore included one law firm whose clients included Goldman Sachs. Moore could have accessed that connection, but said he chose not to.

Video Conferencing SystemsAlthough most of these systems have encryption, auto-mute and remote camera control locks, these basic security features are often not enabled by the end-users, which include law firms, pharmaceutical companies, oil refineries, universities and medical centers. Worse, some teleconferencing systems were installed to run outside the corporate firewall. Others were configured by default to answer outside calls automatically. Moore said of the major manufacturers–Polycom, Cisco, LifeSize, and Sony–only Polycom enables the auto-answer feature by default.

Shawn Dainas, a Polycom spokesman, told the New York Times “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.” And that’s the problem: customers often don’t take the next step and configure those settings, or test the system once it’s been installed. Customers aren’t always in a position to evaluate their own security needs.

Something similar has been happening with Video over IP and Voice over IP systems. In 2009, Jason Ostrom, director of Sipera Viper Labs, demonstrated how he could intercept and even replace poorly configured video signals remotely. For example, one could replace a static shot of doorway to hide a break-in. This might not seem like a practical attack, but then again late last year iBahn, the internet provider to hotel rooms, had to deny that Chinese hackers had found away to intercept the company’s high-speed video signals.

Previously Ostrom had shown security conferences how his tool VoIP Hopper could intercept and reconstruct corporate phone calls using a flaw in the Cisco Discovery Protocol. Here, all one needed was a Linux box plugged into the guest phone in a corporate lobby. In his demonstration, however, Ostrom used a hospital scenario instead. Either way, an open port becomes a serious vulnerability.

Security choices have to be intuitive or these choices won’t be made by most customers (or made well). And, as the Polycom employee states, customers should be able to enable the security that is appropriate for their needs. But how is the customer to know what security is appropriate to their needs?

It would be nice to live a world where security is built in by the manufacturer, where the boxes are clearly labeled so that you buy the gadget (and included security) appropriate to your needs, and that regulations stipulate regular pen testing, particularly in Fortune 500 companies. We’re inching closer to these goals, but have a long way yet to go. Until then, don’t be surprised to see more of the type of headline written above.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture