It was reported last week that a hacker had accessed the video conferencing system of the Parti Libéral du Québec (PLQ) and eavesdropped on confidential meetings. The hacker concerned reported, with video proof, to Le Journal de Montréal (JDM) and the PLQ has confirmed the veracity of that proof. It would appear that no actual harm has been done.
Nevertheless, the potential damage from this type of ‘breach’ is enormous. In January 2012 well-known security expert HD Moore, founder of Metasploit and now principal at Special Circumstances, LLC, demonstrated the effects of hacking a video conferencing system. “With the move of a mouse,” reported the New York Times , “he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall… With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.”
It would seem that the PLQ hacker had similar access, although we don’t know if he had similar control over the cameras. There are two conference rooms in the PLQ offices, and the cameras are always active. The access obtained by the hacker was thus to the system itself rather than any specific video conference. He or she could have eavesdropped on anything that occurred in those conference rooms.
The dangers of such access are obvious. In the demonstration by HD Moore, he “found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country. He even found a path into the Goldman Sachs boardroom.” Moore had been focusing his research on the H.323 protocol and the lack of authentication for most video conference equipment.
There is some confusion over this latest breach, but it doesn’t seem to have used the same methods as those used by Moore.
“We already have a team of experts working to understand what happened and plug the computer breach on the videoconferencing system as quickly as possible,” PLQ’s director of communications Maxine Roy told JDM. But this may not have been a traditional computer breach – depending on the configuration of the system, the hacker may have gained access to the video conferencing without first having to break into PLQ’s own network.
“The main difference between this hack and my previous work was the method of access; this attack was conducted on the administrative interface of the device,” Moore told SecurityWeek by email. “As far as I can tell, it looks like the attacker guessed the password to a Lifesize system (and the default was ‘12345’). These systems were also vulnerable to a command execution vulnerability a couple years ago, so there is a chance that method was used if the system was out of date.”
If Moore is right, it simply confirms what security people already know – the weakest link is almost always the user. It would be wrong to blame the video conferencing supplier for providing a ‘12345’ default password (provided it explicitly recommended that this should be changed by the customer on installation); but it would be right to blame PQL for not resetting that password.
Similarly questions will need to be asked about the PQL video conferencing operators. It seems that an unauthorized third party legitimately logged on to the system but remained unnoticed – or at least unqueried – over extended periods of time.
SecurityWeek has asked Lifesize for any response to Moore’s comments, but has not received any reply at the time of writing. Meanwhile, the single biggest lesson from this episode is that all default passwords must always be changed.
Related: Corporate Video Conferencing Systems Fail Secure Implementation