Video Conferencing May Pose Security Risk

News Article - Friday, 17 May 2013 12:20

By: Kerry Butters Category: Connectivity

Video conferencing is becoming increasingly popular with enterprises at the moment, as internet speeds get faster and technology enables a better experience than ever before.

However, over the course of the past year numerous reports have sprung up questioning the security of video conferencing. This is because it’s been found that many systems are open to attacks from hackers, leaving company’s trade secrets open and sensitive meetings at risk.

Last January, The New York Times detailed an experiment carried out by seasoned professional hacker HD Moore, a chief security officer for Rapid7, a Boston-based company that looks for security holes in various computer systems.

He tested the ability to access company systems via their video conferencing devices and found it a simple matter to access several of the top venture capital and law firms in the US. He also gained access to pharmaceutical companies, oil companies, courtrooms and even the Goldman Sachs boardroom.

"The entry bar has fallen to the floor,” said Mike Tuchen , chief executive of Rapid7. "These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”

However, the most popular video conferencing systems, such as Polycom and Cisco, feature security functions such as encryption, so why is it so simple to hack them?

The answer to this seems to lie with administrators, who are setting the conferencing equipment up outside of the company firewall.

Mr Moore’s experiment found that many administrators had set equipment up in such a way that allows anyone to listen in. All new systems are fitted with a feature that allows inbound calls to be accepted automatically, meaning anyone can dial in and look around the room, as well as listen in.

Testing the vulnerability led Moore to discover 5000 unsecured conference rooms, including a lawyer-inmate meeting room at a prison and an operating room at a university medical centre. No more really needs to be said on the potential risk that is posed by setting up video conferencing equipment without security in mind or a full understanding of the primary considerations when implementing cross-company video communications.

According to Polycom spokesman Shawn Dainas, auto-answer and other features in VC equipment has several built-in security functions that "have been designed to make it easy for our customers to enable security that is appropriate to their business.”

These include password protection, auto-mute, camera control lock and even a lens cover for when the equipment is not in use. The problem seems to lie with the user, who appears to have a "false sense of security” that such devices can’t be hacked.

The issue was explored further at the last Black Hat Europe  held in March 2013 by Moritz Jodiet, who presented a paper entitled Hacking Video Conferencing Systems which demonstrated how to remotely compromise all variants of the Polycom HDX systems.

He found that all systems could be hacked and potentially used as surveillance and industrial espionage targets. This means that enterprises should be aware of the potential risks and take steps to ensure that their video conferencing equipment is secure.

According to Jodiet, Polycom have responded positively to his research and have since released updates to address any potential vulnerabilities in their equipment.

"[Polycom] even offered me a test build before the official publication of the new release 3.1.1.2 which fixed all the issues,” Jodiet said.

Whilst Polycom seem to be keen then to overcome any software issues, it's now a case of raising awareness amongst enterprises, if the issue is to be resolved before it becomes a security disaster.

Recent Articles