Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Corporate Video Conferencing Systems Fail Secure Implementation

State of the art teleconferencing equipment is a must for most organizations today but few have installed it correctly, according to researchers at Rapid 7. The security company reported on Monday that conference boardrooms around the world were vulnerable to hacking. H.D.

State of the art teleconferencing equipment is a must for most organizations today but few have installed it correctly, according to researchers at Rapid 7. The security company reported on Monday that conference boardrooms around the world were vulnerable to hacking. H.D. Moore, Rapid 7′s chief security officer and creator of Metasploit, said he found 5,000 wide-open conference rooms just within a 2-hour scan of the Internet. Conference rooms “visited” by Moore included one law firm whose clients included Goldman Sachs. Moore could have accessed that connection, but said he chose not to.

Video Conferencing SystemsAlthough most of these systems have encryption, auto-mute and remote camera control locks, these basic security features are often not enabled by the end-users, which include law firms, pharmaceutical companies, oil refineries, universities and medical centers. Worse, some teleconferencing systems were installed to run outside the corporate firewall. Others were configured by default to answer outside calls automatically. Moore said of the major manufacturers–Polycom, Cisco, LifeSize, and Sony–only Polycom enables the auto-answer feature by default.

Shawn Dainas, a Polycom spokesman, told the New York Times “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.” And that’s the problem: customers often don’t take the next step and configure those settings, or test the system once it’s been installed. Customers aren’t always in a position to evaluate their own security needs.

Something similar has been happening with Video over IP and Voice over IP systems. In 2009, Jason Ostrom, director of Sipera Viper Labs, demonstrated how he could intercept and even replace poorly configured video signals remotely. For example, one could replace a static shot of doorway to hide a break-in. This might not seem like a practical attack, but then again late last year iBahn, the internet provider to hotel rooms, had to deny that Chinese hackers had found away to intercept the company’s high-speed video signals.

Previously Ostrom had shown security conferences how his tool VoIP Hopper could intercept and reconstruct corporate phone calls using a flaw in the Cisco Discovery Protocol. Here, all one needed was a Linux box plugged into the guest phone in a corporate lobby. In his demonstration, however, Ostrom used a hospital scenario instead. Either way, an open port becomes a serious vulnerability.

Security choices have to be intuitive or these choices won’t be made by most customers (or made well). And, as the Polycom employee states, customers should be able to enable the security that is appropriate for their needs. But how is the customer to know what security is appropriate to their needs?

It would be nice to live a world where security is built in by the manufacturer, where the boxes are clearly labeled so that you buy the gadget (and included security) appropriate to your needs, and that regulations stipulate regular pen testing, particularly in Fortune 500 companies. We’re inching closer to these goals, but have a long way yet to go. Until then, don’t be surprised to see more of the type of headline written above.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.