Slashdot Mirror
Corporate Boardrooms Open To Eavesdropping
cweditor writes "One afternoon this month, a hacker toured a dozen corporate conference rooms via equipment that most every company has in those rooms: videoconferencing. Rapid7 says they could 'easily read a six-digit password from a sticky note over 20 feet away from the camera' and 'clearly hear conversations down the hallway from the video conferencing system.' With some systems, they could even capture keystrokes being typed in the room. Teleconferencing vendors defended their security, saying the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability."
This may be good for some corporate espionage. But if any hacker is doing this thinking he's going to expose the dark corporate underbelly, he's going to be disappointed.
If my experience is any indication, the evil stuff doesn't go on in rooms like that. Contrary to the movies, you have very few open meetings where a bunch of guys sit around and openly plot evil deeds. Most of that stuff is done in much smaller settings, and even then they use euphemisms and obfuscation. It's not like someone says openly "Hey, can we we bribe some local politicians so we can get away with dumping our factory wastewater into their rivers?" Instead they say something like "How can we cut costs at this factory?" to which someone else responds "Well, if we could get rid of the burdensome environmental regulations down there, then it would help with profitability" to which someone else responds "I'll call our people there and have them talk with some of our political allies."
I imagine some "hacktivists" will hack these systems expecting to get a smoking gun. But after hours of watching, all they'll get are a lot of boring meetings filled with financial figures, shitty powerpoint presentations, and corporate-speak platitudes. It'll be a lot less "Here's our secret plan" and a lot more "Here are the fourth quarter earnings breakdowns" and "Let's talk about how we build synergy in Asian markets..."
SJW: Someone who has run out of real oppression, and has to fake it.
One of those companies goes after him on wiretapping or illegally accessing their networks?
If I were looking to do insider trading I wouldn't be bored at all.
I remember when Microsoft automatically executing email attachments was intended to strike the right balance between security and usability. That was a long time ago, in a galaxy far, far away. But still. Everyone saw the security disaster coming. The "I Love You" email was one of the first to get widespread attention enough to be Microsoft's wake up call on taking security seriously. Gone were the days when you could send dot-dot-slash in a URL to work your way up the inetpub wwwroot directories and then to windows / tftp.exe to pull down malware from evil.com on a fully patched NT 4.0 IIS.
I'll see your senator, and I'll raise you two judges.
This should be done systematically and published in quarterly batches, wikileaks style. If the powers that be, who are destroying our freedom and economy as fast as ever they can, can spy on us then it's time we turned the tables. Give them no place to hide.
Do what you can, with what you have, where you are.
Saying that you're not going to find anything is a hilarious misdirect of the fact that the vulnerability has existed for a long time and still does.
Saying "oh they won't find anything" is still not an answer to "but we left the door wide open".
My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.
I read the internet for the articles.
an effort to strike the right balance between security and usability
Microsoft used that same excuse for the early security problems in Windows. It's time we hear a new reason used to rationalize poor design.
Not really that new. Most telephone systems allow it too.
The Samsung OfficeServ I have, I'm pretty sure I read in the manual about a "silent auto-answer pickup" you can do to a remote phone to tap into the speakerphone and hear anything said in the room WITHOUT indication of what you're doing on the target phone. All you need is the right passcode (which is easy if you're the IT guy) and the phone extension and you can hear whatever is said in the that room.
Given that phones are much more prevalent, much less prominent, and much more unexpected to be "hacked", I think you'd always have had greater success that way. And modern telecoms is all managed on the LAN and sometimes even remotely, so it's just as at risk as anything else.
The number one rule, of course, is don't let third-parties have access to your network, and don't have those sorts of "features" turned on.
it's having it set to auto-accept. I understand why people leave it on, it's because they are lazy. Either the person installing it doesn't want to field support calls every time an admin assistant or board member can't figure out that video/tv doohikie, or they don't want to take the time to train the folks on how to use it. I suppose "ease of use" is another excuse, but in the end this is akin to leaving your cell phone set to auto answer. Nobody has their cell/desk/home phone set to just pick up, you have it ring. Why should a "video phone" be any different? These things need to be publicly addressable because of the nature of who you may need to connect to. It's an extreme PITA to have to configure/re-configure for every call. Now the flip side of this is now more folks are going to try this sort of exploit on a public IP address and the phone will be ringing with spammers even if you have it configure to require a manual answer. So it looks like some of the ease of use of having a publicly addressable VC system is going to go away.
My experience is as a scientist and probably is of limited value in other fields, but: I've seen places where the remote meeting culture centered on video conferencing and I've seen places where it instead centered on audio, with the video replaced by slides. The slides normally show useful experimental data or borderline useful financial data. The video normally shows bored people.
When an internal meeting has video it's generally a sign that the meeting doesn't actually need to happen - it's better done through a couple emails or a quick IRC-equivalent chat. Again, outside the world of a scientist I expect this to be different.
"I zero-index my hamsters" - Willtor (147206)
being, of course, that which is no QA cost to the vendor.
There is no right to feel safe thru security vaudeville at the expense of everyone's freedom, privacy and tax money.
I had a job interview a few years ago, and instead of an office, we went to a boardroom. On a whiteboard there were 2 phone numbers with names attached, and right next to those were the passcodes for their voicemail. One was the HR person who was conducting the interview.
I'm glad that for political reasons we use a third party reflector to do our video conferencing. Basically one of our partners had a flaky video conferencing setup that their IT guys couldn't or wouldn't fix but were all too happy to blame us because we would host the conferences. We tried everything we could to insure things went smoothly but when we could find no faults with our setup (and many other sites around the world never dropped) we implemented a layer 8 solution and moved the hosting of the conference off our equipment and onto a third party reflector. The other party continued to drop until their management got so fed up with the obviousness that it was their fault that they hired someone to fix it. Since it works and protects us politically we've kept the system, guess there's a nice bonus out of it in that we have no open inbound ports for the video conferencing gear =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
I go into a lot of boardrooms in my line of business and I was actually at a business a few weeks ago that was obviously concerned about this, so they used the low-tech solution of a cardboard box over the videoconferencing device.
On the box, in handwritten black magic marker, it said "Do not remove unless participating in a video conference!" Not exactly high-tech, but I suppose it was more effective than nothing.
At a place i used to work there was this one room that had a camera on a 2 axis pivot/drive. it was creepy when it would turn on and swing around to point right at you.
Skype is making inroads into meetings because it is easy to get to work as opposed to those things. Most fixed video systems are incompatible, so you cannot call any meeting room - it has to be a specific meeting room with similar equipment and even then it seldom works.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
When we bought our video conferencing system, the vendor that implemented gave us their VTC unit's number for testing. Their test VTC system is in their main conference room.
Well, one day we were demoing the unit to a group of people and we called the vendor's unit. They were in the middle of an intense meeting, the CTO of the company was nearly yelling at his staff about a missed sale - I guess he saw the camera swivel into position and yelled "Who turned that bloody thing on! Turn it off!"
Pretty funny from our point of view, and our sales rep called later to apologize.
So if the vendor that implements these for a living can't remember to turn off auto-answer when it's important, how can anyone else? I'm surprised at the number of companies that leave auto-answer turned on. (and am also surprised at the number of companies that re-use conference bridge numbers, I accidentally called into a conference bridge an hour early for a meeting, and got to listen to the vendor talking with a competitor about a new project).
Most fixed video systems are incompatible, so you cannot call any meeting room
Can Skype call out to other video conferencing solutions? I know you can call a telephone number, but I didn't realize you could, for example, call a Google+ Hangout.
Ceci n'est pas un sig.
Now all you need is SOUND proofing..
Insert
Unless everyone leaves their electronic gadgets at the door you'll always have plenty resources to gather info. The problem is that many want their toys, even when it doesn't concern the topic under discussion, so even if you fully swipe a room (which presently costs a good â400 per square meter for government/military quality sweeps) you'll lose the overall battle.
If you have vidcom in a room you should not assume that room to be more than low level secure unless you have crypto secured the communication (i.e. closed network only). And even then I'd unplug the thing by default..
The problem is that CEO's are so stupid they refuse to use the videoconference gear like a normal human. They demand the things auto answer which is a GIANT hole. Plus they refuse to do the smart thing and put in a Border controller. Instead they buy an external IP for the VC gear and put them raw on the internet, Again retarded as hell. But this IS common for executives. They refuse to pay $6500.00 for the device they need and was told would increase security. Instead they demand it's done as cheap as possible.
and this is what happens. Polycom, tandberg, and sony VC equipment on the internet with no firewall and set to auto answer. discover the IP address of a VC system and call it using a Standard H323 software client and you are now listening to the room and looking out the cameras. Hell you can pan and zoom the camera if you want.
The problem is the Executives. They refuse to spend the money to install a secure VC system and they refuse to learn the gear.
Do not look at laser with remaining good eye.
I think these toys could be used for punishment
Force your errant child/dog/cat/whatever to sit in front of one of these eavsdropping session for a while with nothing else to do.
They will shape up fast.
Most Respectfully Yours Mark Allyn Bellingham, Washington
the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability.
I used to work for an organization that sold a great deal of this equipment. I once asked a vendor if they thought "auto answer" was really a sane default; for devices often connected to displays which power separately, while the device (and its recording implements) remain on line all the time in common deployments.
I got pretty much the same line as in the quote. Which I also found a little astonishing, because I have never had a telephone that even featured "auto answer" let alone defaulted to it, and they do pretty much use the telephone as the analog for all their UI elements.
Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
I first looked at the headline, and thought it said corporate bedrooms are open for eavesdropping. Figured Carly Fiorina must be getting pretty lonely or something else far worse. I guess I really do have to have caffeine in the mornings. That, and brain-bleach.
VTC is the thing that all executives want to have, but that never gets used. They are bought with great fanfare and everyone wants to use it - for about 90 days - then the controls sit in the corner collecting dust. Having one that is actually powered on and functional would be a novelty.
Where is my cone of silence when I need it!
"Teleconferencing vendors say they're trying to strike the right balance between security and usability"
Where's the balance? The amount of security is exactly zero. You can't have a balance between two things if you don't have any of one.
As for usability, the concept of answering a call is too advanced for the people in these boardrooms? This goes a long way to explaining the financial crisis.
Hm, I read Corporate Bedrooms. Now that would be a nice idea, never mind the eavesdropping.
On second thought, let's not go to Camelot. It is a silly place.
Are you effin' kidding me? Any vendor that claims an autoanswer feature as a compromise between security and usability is one that wouldn't be getting my business! That's just being damn lazy, if you want to take a call, push a button: denial of service through inaction in that case is where the smart money is. Cisco, take heed!
Operation Guillotine is in effect.
I've often thought about this; do any net based conferencing solutions such as Skype and Hangout have any compatibility to each other? If not, why not? Is the lack of interoperability purely politically-based, or is it a technological problem (that can be solved, all tech problems can be solved)?
Operation Guillotine is in effect.
Per NYT article about this, access was easily obtained to operating rooms in hospitals and law firms. These are areas where there are strict standards of confidentiality. Having no security at all and allowing open access without any passwords or any questioning at all, as occurred here, may open up hospitals and lawyers to lawsuits from clients and patients. Feds are going after providers with bigger fines these days for HIPAA violations. Hard to see how a suit against a hospital could be defended against when there was no security at all. Apparently also, once into one open system may allow piggybacking into other organizations which may compound the liability issue. Next stop from a law firm's open videoconferencing was potentially a Goldman Sachs boardroom. IT professionals should probably check their systems and warn clearly in writing of such lax security to avoid having their own head's on the chopping block.
I used to work for Tandberg implementing SRTP and other things for SIP based communication. Let me make a few things clear.
1) I left because I hated the idea of making a $1,000-$100,000 alternative to Skype which is generally better across the board.
2) We had a big ass interop lab and we did do lots of interop testing with other vendors. It was a quiet agreement we had to try and make it easier for us to steal customers from each other.
3) Most of those REALLY expensive video conferencing are purchased because :
a) just owning it lets you claim a reduced carbon foot-print and get tax cuts bigger than the cost of the phone from the government.
b) Having a dual 56" or 65" video conferencing system in your conference room makes your company look really important. Sales people (meaning everyone who sits in conference rooms for a living) love how fancy they look. I know people at McKinsey that have purchased these and not even hooked them up as furniture. It gives the appearance that you have a direct line into the white house.
c) Companies like tandberg and polycom intentionally cut deals with people they know are on their way out of the company. You know people with purchasing/decision making power who are planning to go to another company in 6 months. Then they say "Let me leave this in your conference room for a year, if you don't use it, we'll come pick it up. If you do, then we'll invoice you. Oh and by the way (in a joking tone), putting this in will look great on your Resume/CV when you mention how much of a carbon foot print reduction you accomplished at your company.". Then the guy leaves and no one is left that has any idea what the real agreement was and the invoice comes in and gets paid.
The best comment I have ever heard from a room full of McKinsey types was "It is incredibly cool looking, we love it.", "How much do you use it?", "We don't touch that, we just use Skype, we're scared to break it".
The fact is, Tandberg and Polycom equipment are insanely hard to use for most people. No one wants to use a telephone which actually requires training to figure out. Remember that these phones are used primarily by people who every time they go somewhere to present something end up needing 10 minutes to get their laptop connected to the projector. That usually requires pressing power on the projector, selecting VGA input and then plugging the laptop in. Imagine a system where simply dialing another user can take 20 or more button presses?
These days, the best option for everyone is just to buy a 40" or bigger TV, a high end web cam, a PC with a proper sound card (this is important), and some speakers and a microphone, then use Skype. Skype performs MUCH MUCH better when the audio input and output are connected to the same crystal. This allows for high quality echo cancellation with far less CPU time. There are some special microphones out there where you can plug the audio output of the computer into the microphone and the microphone will subtract the audio output from the audio input which is even better... but if you use analog circuits, you get low latency but lower audio quality. If you use digital circuits, you get higher quality but also higher latency.
As for compatibility with other systems, well... the nice part about a rig like this is, you can have a desktop full of icons and you can call one person with Skype and another with something else. The programs are typically free, so why bother paying big bucks for them.