Report: Videoconferencing equipment vulnerable to hackers

Jan. 24, 2012
IT researchers say companies are not taking the proper network security precautions

According to a story published earlier this week by the New York Times, IT security researchers have discovered vulnerabilities in videoconferencing equipment that could allow hackers easy access to corporate secrets.

HD Moore, who works for computer network vulnerability testing firm Rapid7, told the newspaper that he found that he could easily tap into this equipment at organizations across the country from pharmaceutical and oil companies to law firms and courtrooms.

The problem, according to Rapid7, was that companies failed to adequately invest in the security of these systems. In many cases, IT administrators are setting them up outside network firewalls and with the capability to automatically answer phone calls.

Moore said that he created a program that searched the Internet for systems with these vulnerability characteristics and he reportedly discovered 5,000 open conference rooms in less than two hours.

"The entry bar has fallen to the floor," Mike Tuchen, president and CEO of Rapid7 told the New York Times. "These are literally some of the world's most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them." Click here to read the full story.

According to IT security consultant Kevin Beaver, the risks posed by weak security measures on videoconferencing systems are numerous and include not just the potential for spying on corporate meetings, but also disablement of cameras and the deletion of video files.

"I see these flaws all the time in videoconferencing and security camera systems. I tell my clients if it has an IP address or a URL then it's fair game for attack," he said.

Beaver added that one of the problems with these systems is that often times they are not installed by a company’s own network administrator, but an outside integrator who may not be as security conscious.

"Network admins are often not the people setting these systems up. It's the systems integrators they're purchased through," Beaver explained. "Once they're on the network, there's the common assumption of 'someone else is taking care of that.' Or worse, 'that's not my problem; that's something that physical security is responsible for.' The bad guys don't care about any such internal political strife - they just go about their business, hence the problem we have."

Regardless of who installed the system, however, Beaver said that organizations need to take responsibility for securing them.

"You cannot secure what you don't acknowledge," he said. "It doesn't matter who's installed the system or who manages it on a daily basis. If it's on your network, it's up to you to keep it in check."