Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
knows that number could dial in and, well, literallyy take a peek at yyour
office.
“The popularityy of video conferencing syystems among the venture
capital and finance industries leads to a small pool of incrediblyy high-value
targets for anyy attacker intent on industrial espionage or obtaining an unfair
business advantage,” Moore wrote. 19
How hard is it to find these syystems? Conferencing syystems use a unique
H.323 protocol. So Moore looked at a sliver of the Internet and identified
250,000 syystems using that protocol. He estimates from that number that
fewer than five thousand of these were configured to auto-answer—a small
percentage of the whole, but still a veryy large number byy itself. And that’s
not counting the rest of the Internet.
What can an attacker learn from hacking such a syystem? The
conferencing syystem camera is under the control of the user, so a remote
attacker could tilt it up, down, left, or right. In most cases the camera does
not have a red light to indicate that it’s on, so unless yyou are watching the
camera, yyou might not be aware that someone has moved it. The camera
can also zoom in. Moore said his research team was able to read a six-digit
password posted on a wall twentyy feet from the camera. Theyy could also
read e-mail on a user’s screen across the room.
Next time yyou’re at the office, consider what can be seen from the
videoconferencing camera. Perhaps the department’s organizational chart is
on the wall. Perhaps yyour desktop screen faces the conference room.
Perhaps pictures of yyour kids and spouse are visible as well. That’s what a
remote attacker could see and possiblyy use against yyour companyy or even
yyou personallyy.
Some syystem vendors are aware of this issue. Polyycom, for example,
provides a multipage hardening (securityy-strengthening) guide, even
limiting the repositioning of the camera. 20 However, IT staffers don’t
usuallyy have the time to follow guidelines like these, and theyy often don’t
even deem securityy a concern. There are thousands of conferencing syystems
on the Internet with default settings enabled.
The researchers also discovered that corporate firewalls don’t know how
to handle the H.323 protocol. Theyy suggest giving the device a public
Internet address and setting a rule for it within the corporate firewall.