Video conference equipment. ShutterstockHacker HD Moore, the maker of Metasploit and chief safety officer at Rapid7, has established that videoconferencing equipment is frequently left broad open for hackers to move stealthily in and peep around organization. As described in a account by the New York Times, Moore has established how he could distantly tour a dozen discussion rooms around the sphere via the nearly ever-present videoconferencing system.
The NYT article particulars his explorations, which fixed rodent pestering and more worrying, eagle-eyed chirping Tom abilities, thusly: With the go of a mouse, he steered a camera about each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into bushes some 50 yards away where a small animal could be seen burrow under a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversation or read trade secrets on a report lying on the meeting room table.
Moore has let himself into several top venture capital and law firms, pharmaceutical and oil companies, and courtrooms. He’s made it into the hall of Goldman Sachs, as well.
It’s unclear how the organization feels about HD Moore’s interruption into their office.
Here’s what Rapid7 CEO Mike Tuchen told the NYT about what this simple trespassing means:
The entry bar has fallen to the floor. These are literally some of the world’s most important boardrooms – this is where their most critical meetings take place – and there could be silent attendees in all of them.
The problem, they say, is that the videoconferencing systems – which rely on an internet procedure that’s like a fancy account of Skype – are being set up exterior network firewalls, allow them to receive calls without administrators having to deal with multifaceted network configuration.
Other issues causing the security hole, as paraphrased from the NYT article:
New systems are often outfitted with a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.
- Some systems ship with a default setting of no security enabled. Of the Polycom videoconference systems that popped up in Mr. Moore’s scan, none blocked control of the camera, asked for a password or muted sound.
To date, no company has report being hacked via videoconferencing system. But office hardware is far from immune.US hall of CommerceOne case the NYT points out was a security breach at the United States Chamber of Commerce in December 2011, at what time the Chamber discovered that its office printer and a thermostat had been communicating with a Chinese IP address. A subsequent investigation found that hackers had intercept at least six weeks’ worth of email from Asia policy expert.
Around the same time, researchers at Columbia University exposed that remote hackers could fit malicious firmware on some HP printers without the owners realizing that they were under attack.
These threats mostly remain in the realm of the hypothetical.
The worst known consequence of the Chamber hack occurred last March, when a printer went berserk and randomly started printing documents with Chinese characters. News reports lack any mention of a Chamber thermostat maliciously spiking in attempts to bake or freeze visitors.
But the theoretical consequences of printer hacking – that document images could be retrieved from printer RAM, that they could be intercepted from wireless printing, that a bad actor who detests trees will deplete your paper tray and waste your expensive ink to print spam – should be worrisome for companies or government bodies with serious concerns about espionage.
The same goes for videoconferencing. Moore has bring awareness to a means for spies to penetrate an organization to eavesdrop and have a look roughly without being detected. Any organization vulnerable to espionage should be aware that their videoconferencing system could twist into a set of prying eyes and eavesdrop ears, and should deal with the network pattern so as to lock it down accordingly behind the firewall.