Something else to worry about, right? Apparently so, according to a Dark Reading report (hat tip to friend and colleague Dave Ries) published on January 24th.
Last October, security researcher HD Moore scanned about 3 percent of addressable Internet space looking for high-end videoconferencing systems present in many corporate and law firm conference rooms.
The scan, which took about two hours using a handful of computers, discovered a quarter of a million systems that understood the H.323 protocol, widely used by Internet protocol (IP) communication systems. Moore, the chief security officer for vulnerability-management firm Rapid7, used a module for the popular Metasploit framework to "dial" each server, connecting long enough to grab the public handshake packets, and then dropped the connection.
"Any machine that accepted a call was set to auto answer," Moore says. "It was fairly easy to figure out who was vulnerable, because if they weren't vulnerable, then they would not have picked up the call."
Using the information, Moore and Rapid7 CEO Mike Tuchen identified 5,000 videoconferencing systems that were set to automatically answer incoming calls, allowing a knowledgeable attacker to essentially gain a front-row seat inside corporate meetings. This is precisely like placing a bug and a camera in the conference room.
If the systems are set to auto-answer incoming calls, they can be activated by a hacker without anyone in the room being the wiser. Researchers found that they could listen into nearby conversations and record video of the environment -- even read e-mail from a laptop screen and passwords on a sticky note 20 feet away.
The research was especially interesting because these vulnerabilities affect targets that can afford $25,000 conferencing systems. Most of the systems were made by Polycom, a leading manufacturer of the systems that mostly ship with their auto-answering functionality enabled. Systems from other companies probably had their auto-answer feature turned on to avoid problems (thereby creating one).
Many of these systems have not yet caught the attention of the security community, but you can be sure that this report will catch the attention of the infosec communcity. Quite outside of this vulnerability, others have been discovered by researchers. These systems should be placed behind a firewall (some IT folks avoid this because the systems act unreliably), be governed by policy and scanned for vulnerabilities - tools are available, but rarely used.
E-mail: firstname.lastname@example.org Phone: 703-359-0700