Hacking boardroom videoconferencing systems

Filed Under: Featured, Privacy, Vulnerability

Video conference equipment. Credit: ShutterstockHacker HD Moore, the creator of Metasploit and chief security officer at Rapid7, has found that videoconferencing equipment is often left wide open for hackers to creep in and peep around organizations.

As described in a report by the New York Times, Moore has demonstrated how he could remotely tour a dozen conference rooms around the globe via the nearly ubiquitous videoconferencing system.

The NYT article details his explorations, which included both rodent stalking and more worrisome, eagle-eyed peeping Tom abilities, thusly:

With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

Moore has let himself into several top venture capital and law firms, pharmaceutical and oil companies, and courtrooms. He's made it into the boardroom of Goldman Sachs, as well.

It's unclear how the organisations feel about HD Moore's intrusion into their offices.


Here's what Rapid7 CEO Mike Tuchen told the NYT about what this easy trespassing means:

The entry bar has fallen to the floor. These are literally some of the world’s most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them.

The problem, they say, is that the videoconferencing systems - which rely on an internet protocol that's like a fancy version of Skype - are being set up outside network firewalls, allowing them to receive calls without administrators having to deal with complex network configuration.

Other issues causing the security hole, as paraphrased from the NYT article:

  • New systems are often outfitted with a feature that automatically accepts inbound calls so users do not have to press an "accept" button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.
  • Some systems ship with a default setting of no security enabled. Of the Polycom videoconference systems that popped up in Mr. Moore's scan, none blocked control of the camera, asked for a password or muted sound.

Answer video calls automatically?

To date, no company has reported being hacked via videoconferencing system. But office hardware is far from immune.

US Chamber of CommerceOne case the NYT points out was a security breach at the United States Chamber of Commerce in December 2011, when the Chamber discovered that its office printer and a thermostat had been communicating with a Chinese IP address. A subsequent investigation found that hackers had intercepted at least six weeks' worth of email from Asia policy experts.

Around the same time, researchers at Columbia University revealed that remote hackers could install malicious firmware on some HP printers without the owners realizing that they were under attack.

These threats mostly remain in the realm of the hypothetical.

The worst known consequence of the Chamber hack occurred last March, when a printer went berserk and randomly started printing documents with Chinese characters. News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors.

But the theoretical consequences of printer hacking - that document images could be retrieved from printer RAM, that they could be intercepted from wireless printing, that a bad actor who detests trees will deplete your paper tray and waste your expensive ink to print spam - should be worrisome for companies or government bodies with serious concerns about espionage.

The same goes for videoconferencing. Moore has brought attention to a means for spies to infiltrate an organization to eavesdrop and have a look around without being detected.

Any organization vulnerable to espionage should be aware that their videoconferencing system could turn into a set of prying eyes and eavesdropping ears, and should deal with the network configuration so as to lock it down accordingly behind the firewall.

Image credit: Videoconference equipment illustration from Shutterstock.

, , , ,

You might like

9 Responses to Hacking boardroom videoconferencing systems

  1. Patches53 · 1353 days ago

    Why didn't they set up their own video conference and try to hack in to it then publish - announce their findings?

    Or is that to simple?

  2. "News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors". Brilliant....____I'm sure there are cleverer ways to intercept email (sniffing all traffic to any IP address is so simple), but yeah, a printer definitely could potentially be a door to the inside.____The fact that the hackers made their presence know with a bit of misschief could mean that they never found the key in and decided just to send a message. ____I see a new opportunity in security expertise opening up ! Printer hardening :)____Nice story..____Thx,__Marcel

  3. nada · 1353 days ago

    Seriously. Anyone (meaning almost all Corporate Security Professionals) who has ever taken time to talk with the AV (audio-video-telephony) team has known most of this since at least 2004. Nice to see it in Metasploit though. This vector is so old news...

  4. Morten Sorensen · 1353 days ago

    Our system lights up (with ringing sound), swings out the camera, turns on two 42" screens and it takes 30-60 seconds before it picks up, so it would be like someone (really slow and noisy) coming into the room. Also the wireless MIC is off when its in its charger.

    The articles scenario was discussed when setting up the system but we found it very unlikely it would pose a problem and if it did, it would easily be discovered and fixed!

  5. roy jones jr · 1353 days ago

    That is something the IT security need to be aware of. good article.

  6. Dru · 1353 days ago

    Good use for the thermostat hacking..social engineering...Could be possible to see when a specific room or building is being actively used. After monitoring the thermostat usage for a while, You could also easily pose as someone that works for the HVAC company. Call up the victim and play the role. Ask the right questions and make the right comments..talk about how the usage has been and that you believe there may be some problems. Make a change to the temp while on the phone and confirm the change with the victim. Now they see your access and you can work on trust. Then, maybe schedule an onsite visit to inspect the system. Wear the right clothes and relay the data discussed over the phone and you'll probably get into the building with no problem and the ability to venture around unsupervised. etc etc...

    Or even better, gain access to the thermostat that controls the temp in a datacenter or server room.

    So many things can be done with thermostat control...just need to be creative.

    As for the printer hack....espionage is not the only concern...for printer/fax/scanner devices...anything you've ever printed, faxed, or scanned can possibly be retrieved...cc data, ss#'s from companies processing loans etc...Could probably even redirect a copy of all the printer's activities to an external source...or again, social engineering acting as printer repair etc..

    • Lisa Vaas · 1333 days ago

      Brilliant thermostat hacking scenarios! I'll admit, some of the theoretical hacks sound a bit too Hollywood, but seriously, what would InfoSec be without what one might call paranoia but what more positively could be called proactive imagination?

  7. HD Moore · 1352 days ago

    I just wanted to clarify that we did NOT access Goldman Sachs boardroom! During the course of the research we discovered that some apparently secure systems - such as that belonging to Goldman Sachs - were still vulnerable through so-called "trusted" 3rd party systems that were less secure. We did not take advantage of this to go into Goldman Sachs though.

    For more information on what we did do, read this post: https://community.rapid7.com/community/solutions/...



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.