The Trouble with Videoconferencing

by Jordan Richardson on January 27, 2012

In today’s hustle-and-bustle world, videoconferencing has become an invaluable tool in many board rooms and offices around the world. It’s a convenient way to connect with people who may otherwise not be able to make it in to the location in person, but new questions are being raised about the security of videoconferencing setups.

According to HD Moore, the chief security expert at Rapid7, tens of thousands of videoconferencing setups the world over are vulnerable to spying and hacker attacks.

Moore, using scanning tools, surveyed a small percentage of the Internet to discover videoconferencing hardware that used what is known as the H.323 protocol – the most commonly used protocol for videoconferencing equipment. Two percent of all videoconferencing setups using the protocol were at risk of hacker infiltration.

The trouble, says Moore, is that the videoconferences were set up to automatically answer incoming calls. On top of that, most didn’t use a firewall.

From his sample size, Moore estimated that more than 150,000 videoconferencing setups were vulnerable to eavesdropping thanks to the microphone and the remote-controlled camera. In positioning the videoconferences without firewalls and with auto-answer features, the setups are effectively “naked” on the Internet and virtually anyone with moderate tech know-how can peer in.

Moore was able to access conferences held in a variety of places, including corporate board rooms, law offices, research facilities, and venture capital firms.

In one startling instance, Moore says he was able to dial in to a conference and operate the camera. Using the zoom function, he saw someone enter a password in on a laptop. Moore watched the room for some 20 minutes without anyone noticing the motion of the camera.

David Maldow, from Telepresence Options, countered Moore’s findings by stating that “it should be noted that projecting an atmosphere of security risk in videoconferencing is clearly in their interest.” Maldow went on to explain that some of Moore’s claims were a little exaggerated. “I simply don’t see a massive threat in the fact that it is possible to get lucky and randomly dial into an anonymous empty meeting room,” wrote Maldow.

response to Maldow’s article is already up and running from Moore. “At the end of the day, we stick by our position that videoconferencing systems are often deployed in an insecure manner and that the risk of unauthorized access is not something that many IT administrators or company executives are aware of today,” says Moore.

Did you like this post ? publishes daily news, editorial, thoughts, and controversial opinion – you can subscribe by: RSS (click here), or email (click here).

Written by: Jordan Richardson. Follow by: RSSTwitterFacebook, or YouTube.

{ 2 comments… read them below or add one }

Emily Gay January 27, 2012 at 4:25 pm

While it’s true that security is a concern for many people when using video conferencing, this article lumped everyone into one category, which is inaccurate. At LifeSize, we ship all our products with auto answer DISABLED for this exact reason. The bigger issue that we see is that video conferencing has traditionally been too complex for many administrators to design, deploy, and manage securely, leaving gaps like the ones described in the article. We strive to make our products simple to use and deploy so users are not left with a security breach. For customers to truly avoid becoming susceptible to hacking, there are three key things they need to do: make sure they have the training and knowledge needed to make informed decisions about building a secure network, leverage the technology available such as NAT/Firewall traversal and encryption to achieve it, and make informed decisions about how they configure and manage their systems to ensure it is maintained. You can read more about this in our blog:

Jordan Richardson January 27, 2012 at 8:32 pm

Emily, I’m not sure what you mean by “this article lumped everyone into one category.” Can you clarify?

Previous post:

Next post: