March 2, 2012

Hack My Videoconference, Please!

Though the post office's new ad opens, "A refrigerator has never been hacked," it's only a matter of time until smart appliances in the home connect to the Internet and, in turn, open up new opportunities for cyber criminals. In the meantime, though, some critically important Web appliances in business settings are already exploitable in ways folks might not have thought of yet. For example, uninvited guests can hack into your videoconferencing systems and see or hear private information in a number of ways. They may already be doing it.

A recent Boston Globe article recounted the exploits of one HD Moore, chief security officer at Rapid7, a Boston firm that fixes security flaws within IT infrastructures. (Other companies in this game are McAfee's NitroSecurity and IBM's Q1 Labs.)

Moore exploited the H.323 videoconferencing protocol to secretly tour conference rooms in law offices, venture-capital firms, oil refineries, pharmaceutical companies, hospitals and courtrooms. The latest systems from Cisco/Tandberg, Sony, LifeSize/Logitech, Polycom, Codian and others - even with encryption - were no match. And the systems Moore entered would have offered little sign of his presence, except for a tiny console light or camera movement.

TNS-March-photo.jpgThus, Moore warns, real cyber spies could easily gain eyeballs on your firm's sensitive information in the following ways:
  • Zooming into areas outside conferencing rooms.
  • Reading passwords from sticky notes more than 20 feet away.
  • Listening to distant conversations.
  • Reading email on laptop screens.
  • Watching keyboards to capture passwords.

A Simple Hack

Moore used Rapid7's well-known Metasploit penetration-testing program to scan the Web for conferencing systems that:
  • Sat on the Internet side of firewalls (or had been deployed in firms without firewalls).
  • Automatically answered incoming IP calls.

In under two hours, after scanning 3% of the Internet, the program found 5,000 targets out of 250,000 H.323 systems examined. Moore checked a few, and crashed into an attorney-inmate confab, a medical operating room and a venture-capital meeting with financials projected on-screen.

Worse, once he cracked one system, he often could jump from its address books into business partners' conferencing rooms - even those "protected" behind security barriers. In this way, he could have invaded a highly secure Goldman Sachs boardroom, which was listed in an outside law firm's video address book.

Fend Off Coming Attacks

Moore has sounded a critical alarm. But his firm has also blogged about how the hack was done. So the race is now on to lock down your systems, pronto. Here's how:
  • Assume that your videoconferencing systems have shipped in an unsecure state with auto-answer enabled. Disable it.
  • If you haven't already, change systems' factory-default admin IDs and passwords.
  • Move systems behind firewalls. And work with their manufacturers to add "gatekeeper" systems outside the firewalls to screen incoming calls.
  • Have suppliers help you tighten their products' security and make your security auditors test it.
  • Make sure systems' Web interfaces can't initiate outbound calls to outside parties.
  • Require passwords of all conference participants.
  • When practical, lock camera controls during and between meetings.
  • During conferences, ensure that cameras can't see information on flip pads, whiteboards and computer screens that you aren't using.
  • Between conferences, turn systems off (or turn mikes off and cover camera lenses).
  • At all times, keep conference room doors closed.
  • Before scrapping or selling conferencing equipment, thoroughly wipe its data (including address books).

Similarly, when we do start bringing smart fridges and other appliances into our homes and offices, we can also protect them (and our PCs) by changing the factory-default IDs and passwords in our own Internet routers. Many people don't, and hackers know those codes!

NOTE: For security reasons, I don't give out my email address.  However, if you would like to send email to my trusted alter-ego, Dave Powell, he will deliver the messages to me in a plain brown envelope.


HD Moore's videoconferencing system pentest findings are certainly interesting, but they underscore a far more pervasive flaw in the way many people think about new networked devices - especially "smart" devices.

These are not isolated turnkey appliances that can be turned on in with little to no risk exposure. They're networked computers. Computers with access to sensitive information (here audio/video feeds, elsewhere confidential data or simply springboard access to back-end systems). As such, they need to be secured like other networked computers - assessed, hardened, firewalled, access-controlled, monitored for unauthorized use...

I think we're going to see more and more of this - for example, here's a story about a BestBuy store that recently had its SmartTVs hacked:

From consumers to enterprise IT and employees, everyone needs to realize that networked devices shouldn't be put into place without applying at least a few basic security best practices. Skipping that step and hoping that hackers won't notice is just begging for trouble.

Lisa, yes, that's the very point. Too often, such appliances are thought to be outside of IT's purview. But the devices must be "brought in from the cold." This includes any of the new crop of smart TVs that also may be installed in public areas and conference rooms. Both the videoconferencing systems and TVs - and yes, even smart refrigerators - will merit IT's very close attention! Thanks for the great add, Lisa!

A very interesting article.

I would like your view on the trend for Bring your own device to work and how the lack of security on some smart devices might end up with hundreds of such video capture / secret listening devices all over the enterprise.

I think we should be worried, what do you think ?

Glad you liked the article, Dave! You ask an excellent question. One old-school risk still exists, of course: USB flash drives are just as effective at bring in viruses and malware as they ever were. So part of the corporate security policy should mandate that people scan their flash drives for viruses and malware as often as their hard disks (and especially before plugging a flash drive used at home into the corporate net).

You also raise a very valid point about video risks. Videoconferences don't just occur through expensive corporate systems. They may also flow into smart phones, tablet computers, notebooks and PCs throughout the enterprise over services like Skype and VOIP. When these personal sessions are live, they pose the same risks that Moore warned us about. And many of the same defense strategies pertain. For instance, one should ensure that critical personal/company info and employee conversations aren't in the camera's range during such sessions. And one should also turn off the connection (and even close a notebook's cover) when the conversation is over.

But there's yet another video risk that most companies probably never consider. While I was researching this article, I too found myself dropping in on companies' operations through their own security cams. I didn't even have to hack my way in! After a brief Google search, I had a nice list of corporate security cams that anyone can access over the Web. They were stationed at loading docks, on sales floors, in labs, over checkout counters, in private offices, and even outside expensive shops on NYC's Fifth Avenue (just watching people - in HD - as they strolled on by).

Yes, most of these cams are on the Web so that their firms' security managers can check them 24-7. And most of the cams can't be controlled without a password. But they still let anyone watch what's going on. And "spies" with appropriately advanced video-processing tools could conceivably snatch useful data (like passwords) from the camera streams.

So the TV show "Person of Interest" is more real that we'd like to think. And whether we're in our offices or out in the streets, it would be wise to always shield sensitive data from the Web's prying eyes (perhaps with our smart devices held closer to the chest to block external viewing).

IT and security managers should definitely be concerned. And security policies should try to address such video risks.

Definitely an area of interest... and just the tip of the iceberg. Legions of Web-enabled printers and copiers are just waiting to be marshalled into an army by sending malicious code to printers behind firewalls through Web-printing services. But we can't live life under tin-foil hats either!

Thanks Rich for the interesting additional angle on this! By alerting fellow IT professionals, we can all be better prepared for such attacks.

Search Webtorials

Get E-News and Notices via Email




I accept Webtorials' Terms and Conditions.

Trending Discussions

See more discussions...

Featured Sponsor Microsites



Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2018, Distributed Networking Associates, Inc.