InformationWeek: The Business Value of Technology

InformationWeek: The Business Value of Technology
InformationWeek Big Data Coverage
= Member Content
Facebook Twitter Share

E-mail | Print | Permalink | LinkedIn | RSS

Videoconferencing Systems Vulnerable To Hackers


Take these steps to secure your videoconferencing system and prevent outsiders from spying on your company.


By Robert Lemos- Dark Reading
InformationWeek
January 25, 2012 11:37 AM

Last October, security researcher HD Moore's scanned about 3% of addressable Internet space looking for high-end videoconferencing systems--the type of systems present in many corporate boardrooms and meeting spaces.

The scan, which took about two hours using a handful of computers, discovered a quarter of a million systems that understood the H.323 protocol, widely used by Internet protocol (IP) communication systems. Using that list, Moore, the chief security officer for vulnerability-management firm Rapid7, used a module for the popular Metasploit framework to "dial" each server, connect long enough to grab the public handshake packets, and then dropped the connection.

"Any machine that accepted a call was set to autoanswer," Moore says. "It was fairly easy to figure out who was vulnerable, because if they weren't vulnerable, then they would not have picked up the call."

Using the information, Moore and Rapid7 CEO Mike Tuchen identified 5,000 videoconferencing systems that were set to automatically answer incoming calls, allowing a knowledgeable attacker to essentially gain a front-row seat inside corporate meetings. Videoconferencing systems that automatically answer incoming calls can be turned on externally by an attacker without attracting the attention of people in the boardroom. In tests on systems in Rapid7's lab, the researchers found that the system could listen into nearby conversations and record video of the surrounding environment--even read e-mail from a laptop screen and passwords off of a sticky note that was 20 feet away.

While the number of vulnerable systems may be small--about 150,000 across the Internet, Moore estimates--the technique returned an interesting set of targets, he says.

"What made this interesting is that you are only going to find places that can afford $25,000 videoconferencing systems, so it's a pretty self-selecting set of targets," Moore says.

The lion's share of the videoconferencing systems found by Moore's experiment were made by Polycom, a leading manufacturer of the systems that mostly ship with their autoanswering functionality enabled. Companies using equipment from other manufacturers likely turned on the feature to make videoconferencing as problem free as possible.

Yet using such systems securely requires only a few, if not always simple, steps, says Joshua Talbot, security intelligence manager at Symantec.

Read the rest of this article on Dark Reading.

Federal agencies must eliminate 800 data centers over the next five years. Find how they plan to do it in the new all-digital issue of InformationWeek Government. Download it now (registration required).




InformationWeek encourages readers to engage in spirited, healthy debate, including taking us to task. However, InformationWeek moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. InformationWeek further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.
Subscribe to RSS


Advertisement

UC Collaboration Technology Reports

report Beyond Dial Tone: 6 Steps to Wring ROI Out of UC
Unified communications and collaboration represents a significant investment in money and IT resources. It's critical to determine whether your company will benefit from unified communications. Not every organization will. The key is to tackle complexity head on and ensure all stakeholders are fully engaged from the beginning. Our report provides in-depth detail on building an ROI picture for a UC deployment.

report Desktop Videoconferencing: Ready for Its Closeup
The advent of Scalable Video Coding (SVC), which enables the use of the Internet for high-quality desktop videoconferencing, means enterprises can deploy videoconferencing to a majority of workers. Companies that value face-to-face communications can make it happen without breaking the bank. The report also includes exclusive research on IT’s adoption plans for videoconferencing.

report 2012 State of Unified Communications
The good news: The percentage of users who've deployed and are using UC jumped six points, to 36%, since our 2010 survey, and the number of "fence sitters" is down, too. The not-so-good news: For 65%of those who have deployed or plan to do so, UC currently reaches 50% or less of the employee base. What's the holdup?

report Best Practices: Reliable Unified Communications
If your UC infrastructure is erratic or the communications quality poor, you're sunk, because end users today don't have the patience to give IT three or four chances to get it right. And that just adds up to wasted money. In this InformationWeek Best Practices report, we describe strategies to ensure quality communications between end users, whether they're on the LAN, WAN or a mobile device.

report Into the Fold: Mobile Unified Communications Within Reach
IT’s been pushing UC and mobility initiatives on separate tracks. But if either technology is to realize its full potential, CIOs must make integration a priority. In this Strategy Session report, we discuss ways to bring smartphones and tablets into your overall unified communications plan.