State of the art teleconferencing equipment is a must for most organizations today but few have installed it correctly, according to researchers at Rapid 7. The security company reported on Monday that conference boardrooms around the world were vulnerable to hacking. H.D. Moore, Rapid 7′s chief security officer and creator of Metasploit, said he found 5,000 wide-open conference rooms just within a 2-hour scan of the Internet. Conference rooms “visited” by Moore included one law firm whose clients included Goldman Sachs. Moore could have accessed that connection, but said he chose not to.
Although most of these systems have encryption, auto-mute and remote camera control locks, these basic security features are often not enabled by the end-users, which include law firms, pharmaceutical companies, oil refineries, universities and medical centers. Worse, some teleconferencing systems were installed to run outside the corporate firewall. Others were configured by default to answer outside calls automatically. Moore said of the major manufacturers–Polycom, Cisco, LifeSize, and Sony–only Polycom enables the auto-answer feature by default.
Shawn Dainas, a Polycom spokesman, told the New York Times “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.” And that’s the problem: customers often don’t take the next step and configure those settings, or test the system once it’s been installed. Customers aren’t always in a position to evaluate their own security needs.
Something similar has been happening with Video over IP and Voice over IP systems. In 2009, Jason Ostrom, director of Sipera Viper Labs, demonstrated how he could intercept and even replace poorly configured video signals remotely. For example, one could replace a static shot of doorway to hide a break-in. This might not seem like a practical attack, but then again late last year iBahn, the internet provider to hotel rooms, had to deny that Chinese hackers had found away to intercept the company’s high-speed video signals.
Previously Ostrom had shown security conferences how his tool VoIP Hopper could intercept and reconstruct corporate phone calls using a flaw in the Cisco Discovery Protocol. Here, all one needed was a Linux box plugged into the guest phone in a corporate lobby. In his demonstration, however, Ostrom used a hospital scenario instead. Either way, an open port becomes a serious vulnerability.
Security choices have to be intuitive or these choices won’t be made by most customers (or made well). And, as the Polycom employee states, customers should be able to enable the security that is appropriate for their needs. But how is the customer to know what security is appropriate to their needs?
It would be nice to live a world where security is built in by the manufacturer, where the boxes are clearly labeled so that you buy the gadget (and included security) appropriate to your needs, and that regulations stipulate regular pen testing, particularly in Fortune 500 companies. We’re inching closer to these goals, but have a long way yet to go. Until then, don’t be surprised to see more of the type of headline written above.