By NICOLE PERLROTH
One afternoon this month, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms; videoconferencing equipment.
With the move of a mouse, he steered a camera around each room, occasionally zooming in with such precision that he could discern grooves in the wood and paint flecks on the wall. In one room, he zoomed out through a window, across a parking lot and into shrubbery some 50 yards away where a small animal could be seen burrowing underneath a bush. With such equipment, the hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.
In this case, the hacker was HD Moore, a chief security officer at Rapid7, a Boston based company that looks for security holes in computer systems that are used in devices like toaster ovens and Mars landing equipment. His latest find: videoconferencing equipment is often left vulnerable to hackers.
Businesses collectively spend billions of dollars each year beefing up security on their computer systems and employee laptops. They agonize over the confidential information that employees send to their Gmail and Dropbox accounts and store on their iPads and smartphones. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room where their most guarded trade secrets are openly discussed.
Mr. Moore has found it easy to get into several top venture capital and law firms, pharmaceutical and oil companies and courtrooms across the country. He even found a path into the Goldman Sachs boardroom. “The entry bar has fallen to the floor,” said Mike Tuchen, chief executive of Rapid7. “These are literally some of the world’s most important boardrooms — this is where their most critical meetings take place — and there could be silent attendees in all of them.”
Ten years ago, videoconferencing systems were complicated and erratic, and ran on expensive, closed high-speed phone lines. Over the last decade, videoconferencing — like everything else — migrated to the Internet. Now, most businesses use Internet protocol videoconferencing — a souped-up version of Skype — to connect with colleagues and customers. Most of these new systems were designed with visual and audio clarity — not security — in mind.
Rapid7 discovered that hundreds of thousands of businesses were investing in top-quality videoconferencing units, but were setting them up on the cheap. At last count, companies spent an estimated $693 million on group videoconferencing from July to September of last year, according to Wainhouse Research.
The most popular units, sold by Polycom and Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security that hackers can use against them.
Whether real hackers are exploiting this vulnerability is unknown; no company has announced that it has been hacked. (Nor would one, and most would never know in any case.) But with videoconference systems so ubiquitous, they make for an easy target.
It certainly would not be the first time hackers had exploited holes in office hardware. After a security breach at the United States Chamber of Commerce last year, the Chamber discovered that its office printer, and even a thermostat in a Chamber-owned apartment, had been communicating with an Internet address in China.
But with videoconferencing, companies have seemingly gone out of their way to make themselves vulnerable. In many cases, they are not only putting their systems on the Internet, but setting them up in a way that allows anyone to listen in unnoticed.
New systems are outfitted with a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the silent swing of a video camera.
Two months ago, Mr. Moore wrote a computer program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he had scanned 3 percent of the Internet.
In that sliver, he discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers. He stumbled into a lawyer-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital pitch meeting where a company’s financials were being projected on a screen. Among the vendors that popped up in Mr. Moore’s scan were Polycom, Cisco, LifeSize, Sony and others. Of those, Polycom — which leads the videoconferencing market in units sold — was the only manufacturer that ships its equipment — from its low-end ViewStation models to its high-end HDX products — with the auto-answer feature enabled by default.
In an e-mail, Shawn Dainas, a Polycom spokesman, said the auto-answer feature had several safety elements built in that could be activated by a customer, including password protections, auto-mute and camera control lockup, adding that Polycom also offered a camera lens cover. He said the “security levels have been designed to make it easy for our customers to enable security that is appropriate to their business.”
Of the Polycom videoconference systems that popped up in Mr. Moore’s scan, none blocked control of the camera, asked for a password or muted sound.
“Many Polycom systems are sold, installed and maintained without any level of access security, with auto-answer enabled by default,” Mr. Moore says. “It boils down to whether organizations are aware of the risk, and our research indicates that many, even well-heeled venture capital firms, were not aware and do not implement even the most basic of security measures.”
Mr. Tuchen of Rapid7 said that as a short cut, businesses put their videoconference systems outside the firewall, allowing them to receive calls from other companies without having to do any complex network configuration. The safer way to receive calls from other companies, Mr. Tuchen said, is to install a “gatekeeper” that securely connects calls from outside the firewall. But, this process “is complex to configure properly,” he said, and “is often skipped.”
Ira M. Weinstein, a senior analyst at Wainhouse Research, a market research firm that specializes in media conferencing, disputed the notion that most companies keep their systems outside the firewall. “The companies that really have to worry about breaches — the Department of Defense, banks — put their systems behind the firewall,” Mr. Weinstein said.
“That doesn’t mean there aren’t exceptions. If you talk to outside companies, you need to decide if you want to be accessible or totally secure. I could never leave my house and be secure. But I want to be accessible. It’s a choice people make.”
But in some cases, Mr. Moore discovered he could leap from one open system into its address book and dial into the conference rooms of other companies, even those companies that put their system behind the firewall.
That was the case with Goldman Sachs. The bank’s boardroom did not show up in Mr. Moore’s initial scan but an entry labeled “Goldman Sachs Board Room” popped up in the directory of a law firm that Goldman Sachs videoconferences with. Mr. Moore did not disclose the name of the law firm and said that because he was afraid of “crossing a line,” he did not dial into Goldman Sachs.
Said Mr. Tuchen, “Any reasonably computer literate 6-year-old can try this at home.”