Advanced digital videoconferencing equipment has vastly improved meeting opportunities for coworkers and clients across the globe, but the new systems can also be hacked to spy on those meetings, potentially jeopardizing confidential client data or corporate secrets.
In a recent demonstration, HD Moore, a chief security officer at Boston-based IT security company Rapid7, showed that he could remotely manipulate videoconferencing equipment to hear or see anything in a board room. “These are literally some of the world's most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them,” warned Mike Tuchen, chief executive of Rapid7.
According to Tuchen, these vulnerabilities are caused by IT administrators setting up videoconferencing links outside of company firewalls and configuring them in ways that create easy targets for hackers. No company has yet announced that they have been compromised using videoconferencing, but it is also entirely possible that companies have been victimized and may not be aware.
Some new systems are outfitted with a feature that does not require users to accept every person that dials into their conference. These features can help a meeting run more smoothly, but could also make uninvited guests much harder to detect. Moore recently wrote a computer program that would allow him to detect any videoconferencing links located outside their company firewalls and configured to automatically answer calls. In less than two hours, he scanned about 3 percent of the Internet, discovering 5,000 open conference links at law firms, pharmaceutical companies, oil refineries, universities and medical centers.
In order to prevent hackers from being able to do the same, Rapid7 recommends companies set up a "gatekeeper" that securely connects calls from outside the company firewall.
We enjoy helping our customers each and every day.