Slashdot Mirror
Corporate Boardrooms Open To Eavesdropping
cweditor writes "One afternoon this month, a hacker toured a dozen corporate conference rooms via equipment that most every company has in those rooms: videoconferencing. Rapid7 says they could 'easily read a six-digit password from a sticky note over 20 feet away from the camera' and 'clearly hear conversations down the hallway from the video conferencing system.' With some systems, they could even capture keystrokes being typed in the room. Teleconferencing vendors defended their security, saying the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability."
This may be good for some corporate espionage. But if any hacker is doing this thinking he's going to expose the dark corporate underbelly, he's going to be disappointed.
If my experience is any indication, the evil stuff doesn't go on in rooms like that. Contrary to the movies, you have very few open meetings where a bunch of guys sit around and openly plot evil deeds. Most of that stuff is done in much smaller settings, and even then they use euphemisms and obfuscation. It's not like someone says openly "Hey, can we we bribe some local politicians so we can get away with dumping our factory wastewater into their rivers?" Instead they say something like "How can we cut costs at this factory?" to which someone else responds "Well, if we could get rid of the burdensome environmental regulations down there, then it would help with profitability" to which someone else responds "I'll call our people there and have them talk with some of our political allies."
I imagine some "hacktivists" will hack these systems expecting to get a smoking gun. But after hours of watching, all they'll get are a lot of boring meetings filled with financial figures, shitty powerpoint presentations, and corporate-speak platitudes. It'll be a lot less "Here's our secret plan" and a lot more "Here are the fourth quarter earnings breakdowns" and "Let's talk about how we build synergy in Asian markets..."
SJW: Someone who has run out of real oppression, and has to fake it.
If I were looking to do insider trading I wouldn't be bored at all.
I remember when Microsoft automatically executing email attachments was intended to strike the right balance between security and usability. That was a long time ago, in a galaxy far, far away. But still. Everyone saw the security disaster coming. The "I Love You" email was one of the first to get widespread attention enough to be Microsoft's wake up call on taking security seriously. Gone were the days when you could send dot-dot-slash in a URL to work your way up the inetpub wwwroot directories and then to windows / tftp.exe to pull down malware from evil.com on a fully patched NT 4.0 IIS.
I'll see your senator, and I'll raise you two judges.
Saying that you're not going to find anything is a hilarious misdirect of the fact that the vulnerability has existed for a long time and still does.
Saying "oh they won't find anything" is still not an answer to "but we left the door wide open".
an effort to strike the right balance between security and usability
Microsoft used that same excuse for the early security problems in Windows. It's time we hear a new reason used to rationalize poor design.
Not really that new. Most telephone systems allow it too.
The Samsung OfficeServ I have, I'm pretty sure I read in the manual about a "silent auto-answer pickup" you can do to a remote phone to tap into the speakerphone and hear anything said in the room WITHOUT indication of what you're doing on the target phone. All you need is the right passcode (which is easy if you're the IT guy) and the phone extension and you can hear whatever is said in the that room.
Given that phones are much more prevalent, much less prominent, and much more unexpected to be "hacked", I think you'd always have had greater success that way. And modern telecoms is all managed on the LAN and sometimes even remotely, so it's just as at risk as anything else.
The number one rule, of course, is don't let third-parties have access to your network, and don't have those sorts of "features" turned on.
[...] a whole lot of attention from some high power folks.
Of all the people I have had to brief on new hardware or software those "high power folks" always were the ones who paid the least bit of attention. Well, of course, since whenever they forget which button to press they have a whole army of subordinates to call in and have them get it going for them. You probably could wire a whole fucking Christmas tree lighting to the system and they still would be hard-pressed to notice something happening when it is turned on.
Rudolf Hess edited Mein Kampf. He was the very first grammar nazi.
My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.
Since the company I work at does consulting for C-suite people at a lot of different organizations, I'm pretty sure I have observed enough people to cross the line from anecdotal experience to enough data to form a hypothesis (somebody should test it).
The "higher ups" don't understand technology, even as simple as videoconferencing equipment with a remote that is simpler than a typical cable-TV remote.
When they want to use a video conference, they get somebody from "IT" to come in, click the three buttons that make it hook up, then do their conference, and leave the room, still leaving the conference running because they don't know what the "hang-up" button does.
It isn't that they are idiots, it is just that they don't care, they have "people who handle that stuff" so they don't have to.
So, if the camera comes on, swivels around, auto-focuses, red lights come on, they ignore it, because they don't perceive it as "something I need to concern myself with".
"Flame away, I wear asbestos underwear"
it's having it set to auto-accept. I understand why people leave it on, it's because they are lazy. Either the person installing it doesn't want to field support calls every time an admin assistant or board member can't figure out that video/tv doohikie, or they don't want to take the time to train the folks on how to use it. I suppose "ease of use" is another excuse, but in the end this is akin to leaving your cell phone set to auto answer. Nobody has their cell/desk/home phone set to just pick up, you have it ring. Why should a "video phone" be any different? These things need to be publicly addressable because of the nature of who you may need to connect to. It's an extreme PITA to have to configure/re-configure for every call. Now the flip side of this is now more folks are going to try this sort of exploit on a public IP address and the phone will be ringing with spammers even if you have it configure to require a manual answer. So it looks like some of the ease of use of having a publicly addressable VC system is going to go away.
My experience is as a scientist and probably is of limited value in other fields, but: I've seen places where the remote meeting culture centered on video conferencing and I've seen places where it instead centered on audio, with the video replaced by slides. The slides normally show useful experimental data or borderline useful financial data. The video normally shows bored people.
When an internal meeting has video it's generally a sign that the meeting doesn't actually need to happen - it's better done through a couple emails or a quick IRC-equivalent chat. Again, outside the world of a scientist I expect this to be different.
"I zero-index my hamsters" - Willtor (147206)
I'm glad that for political reasons we use a third party reflector to do our video conferencing. Basically one of our partners had a flaky video conferencing setup that their IT guys couldn't or wouldn't fix but were all too happy to blame us because we would host the conferences. We tried everything we could to insure things went smoothly but when we could find no faults with our setup (and many other sites around the world never dropped) we implemented a layer 8 solution and moved the hosting of the conference off our equipment and onto a third party reflector. The other party continued to drop until their management got so fed up with the obviousness that it was their fault that they hired someone to fix it. Since it works and protects us politically we've kept the system, guess there's a nice bonus out of it in that we have no open inbound ports for the video conferencing gear =)
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
It sounded like the examples given were to use the rooms when nobody is in there:
1) look inside the empty room and see what was left on the white board or post it notes etc.
2) listen and here people in an another room.
That seems quite clever and hard to notice. Somebody might walk in, notice the conf system is on and turn it off.
Spying on an actual meeting happening in the same room that the conf system did not seem to be the main target.
I go into a lot of boardrooms in my line of business and I was actually at a business a few weeks ago that was obviously concerned about this, so they used the low-tech solution of a cardboard box over the videoconferencing device.
On the box, in handwritten black magic marker, it said "Do not remove unless participating in a video conference!" Not exactly high-tech, but I suppose it was more effective than nothing.
At a place i used to work there was this one room that had a camera on a 2 axis pivot/drive. it was creepy when it would turn on and swing around to point right at you.
It was a test. Did you mention it to them?
[John]
Shit better not happen!
When we bought our video conferencing system, the vendor that implemented gave us their VTC unit's number for testing. Their test VTC system is in their main conference room.
Well, one day we were demoing the unit to a group of people and we called the vendor's unit. They were in the middle of an intense meeting, the CTO of the company was nearly yelling at his staff about a missed sale - I guess he saw the camera swivel into position and yelled "Who turned that bloody thing on! Turn it off!"
Pretty funny from our point of view, and our sales rep called later to apologize.
So if the vendor that implements these for a living can't remember to turn off auto-answer when it's important, how can anyone else? I'm surprised at the number of companies that leave auto-answer turned on. (and am also surprised at the number of companies that re-use conference bridge numbers, I accidentally called into a conference bridge an hour early for a meeting, and got to listen to the vendor talking with a competitor about a new project).
The problem is that CEO's are so stupid they refuse to use the videoconference gear like a normal human. They demand the things auto answer which is a GIANT hole. Plus they refuse to do the smart thing and put in a Border controller. Instead they buy an external IP for the VC gear and put them raw on the internet, Again retarded as hell. But this IS common for executives. They refuse to pay $6500.00 for the device they need and was told would increase security. Instead they demand it's done as cheap as possible.
and this is what happens. Polycom, tandberg, and sony VC equipment on the internet with no firewall and set to auto answer. discover the IP address of a VC system and call it using a Standard H323 software client and you are now listening to the room and looking out the cameras. Hell you can pan and zoom the camera if you want.
The problem is the Executives. They refuse to spend the money to install a secure VC system and they refuse to learn the gear.
Do not look at laser with remaining good eye.
There's no wiretapping if you installed the device yourself and left it to automagically answer the phone, which is what this is about. By doing so, you are giving "authorization" to anyone and everyone to use the device.
It's like leaving a computer connected to the net with root login enabled and the enter key as the password. Whether it was a conscious decision or your own incompetence, nobody is really exceeding authorization by logging in as root.
It's called not even reading the quickstart card and taking 5 seconds to think.
--
BMO
I actually did mount a piece of pegboard in an equipment rack with a smoked glass door and put christmas lights in the holes. I used the kind of lights that have a controller box for running patterns, and set it on "random", and left it running for about five years.
People with suits and ties would just stare at that thing in awe. My boss used to do her dog'n'pony shows standing in front of it.
But a telecommunications device is not a house or a car, and the laws for communications are different because of that.
Metaphors are not laws.
--
BMO
Nice! Mine was labeled "Rozhdyestvo Photonic Emitter" in a very officious font, large enough to read through the smoked glass.
My boss is a native Russian speaker, and Rozhdyestvo is a latinization of ÐоÐÐÐÑÑÐо, which means Christmas. So I literally labeled it "Christmas lights".
My boss was the only one who ever noticed, which was exactly what I intended. She laughed her ass off.