Hacker HD Moore, the creator of Metasploit and chief security officer at Rapid7, has found that videoconferencing equipment is often left wide open for hackers to creep in and peep around organizations.
As described in a report by the New York Times, Moore has demonstrated how he could remotely tour a dozen conference rooms around the globe via the nearly ubiquitous videoconferencing system.
The NYT article details his explorations, which included both rodent stalking and more worrisome, eagle-eyed peeping Tom abilities, thusly:
With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.
Moore has let himself into several top venture capital and law firms, pharmaceutical and oil companies, and courtrooms. He’s made it into the boardroom of Goldman Sachs, as well.
It’s unclear how the organisations feel about HD Moore’s intrusion into their offices.
Here’s what Rapid7 CEO Mike Tuchen told the NYT about what this easy trespassing means:
The entry bar has fallen to the floor. These are literally some of the world’s most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them.
The problem, they say, is that the videoconferencing systems – which rely on an internet protocol that’s like a fancy version of Skype – are being set up outside network firewalls, allowing them to receive calls without administrators having to deal with complex network configuration.
Other issues causing the security hole, as paraphrased from the NYT article:
- New systems are often outfitted with a feature that automatically accepts inbound calls so users do not have to press an "accept" button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.
- Some systems ship with a default setting of no security enabled. Of the Polycom videoconference systems that popped up in Mr. Moore's scan, none blocked control of the camera, asked for a password or muted sound.
To date, no company has reported being hacked via videoconferencing system. But office hardware is far from immune.
One case the NYT points out was a security breach at the United States Chamber of Commerce in December 2011, when the Chamber discovered that its office printer and a thermostat had been communicating with a Chinese IP address. A subsequent investigation found that hackers had intercepted at least six weeks’ worth of email from Asia policy experts.
Around the same time, researchers at Columbia University revealed that remote hackers could install malicious firmware on some HP printers without the owners realizing that they were under attack.
These threats mostly remain in the realm of the hypothetical.
The worst known consequence of the Chamber hack occurred last March, when a printer went berserk and randomly started printing documents with Chinese characters. News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors.
But the theoretical consequences of printer hacking – that document images could be retrieved from printer RAM, that they could be intercepted from wireless printing, that a bad actor who detests trees will deplete your paper tray and waste your expensive ink to print spam – should be worrisome for companies or government bodies with serious concerns about espionage.
The same goes for videoconferencing. Moore has brought attention to a means for spies to infiltrate an organization to eavesdrop and have a look around without being detected.
Any organization vulnerable to espionage should be aware that their videoconferencing system could turn into a set of prying eyes and eavesdropping ears, and should deal with the network configuration so as to lock it down accordingly behind the firewall.
Image credit: Videoconference equipment illustration from Shutterstock.