In today’s hustle-and-bustle world, videoconferencing has become an invaluable tool in many board rooms and offices around the world. It’s a convenient way to connect with people who may otherwise not be able to make it in to the location in person, but new questions are being raised about the security of videoconferencing setups.
According to HD Moore, the chief security expert at Rapid7, tens of thousands of videoconferencing setups the world over are vulnerable to spying and hacker attacks.
Moore, using scanning tools, surveyed a small percentage of the Internet to discover videoconferencing hardware that used what is known as the H.323 protocol – the most commonly used protocol for videoconferencing equipment. Two percent of all videoconferencing setups using the protocol were at risk of hacker infiltration.
The trouble, says Moore, is that the videoconferences were set up to automatically answer incoming calls. On top of that, most didn’t use a firewall.
From his sample size, Moore estimated that more than 150,000 videoconferencing setups were vulnerable to eavesdropping thanks to the microphone and the remote-controlled camera. In positioning the videoconferences without firewalls and with auto-answer features, the setups are effectively “naked” on the Internet and virtually anyone with moderate tech know-how can peer in.
Moore was able to access conferences held in a variety of places, including corporate board rooms, law offices, research facilities, and venture capital firms.
In one startling instance, Moore says he was able to dial in to a conference and operate the camera. Using the zoom function, he saw someone enter a password in on a laptop. Moore watched the room for some 20 minutes without anyone noticing the motion of the camera.
David Maldow, from Telepresence Options, countered Moore’s findings by stating that “it should be noted that projecting an atmosphere of security risk in videoconferencing is clearly in their interest.” Maldow went on to explain that some of Moore’s claims were a little exaggerated. “I simply don’t see a massive threat in the fact that it is possible to get lucky and randomly dial into an anonymous empty meeting room,” wrote Maldow.
A response to Maldow’s article is already up and running from Moore. “At the end of the day, we stick by our position that videoconferencing systems are often deployed in an insecure manner and that the risk of unauthorized access is not something that many IT administrators or company executives are aware of today,” says Moore.