Recent news reports on penetration tests of video conferencing equipment have publicized that the auto-answer feature poses a significant security problem. Enterprises need to start implementing secure video conferencing best practices to keep hackers out.
If they follow best practices, corporate users and IT teams can circumvent snooping while a meeting is in session. Even better, they can prevent hackers from silently recording meetings and stealing data stored on the equipment.
Secure video conferencing: Know your risks
Video conferencing hackers pose two risks to enterprises, but if users take simple steps, they can often avoid security incidents:
• Data leaks: Hackers can steal the IP addresses of other conference rooms and lists of frequently called phone numbers right off the video conferencing module. However, deploying a session border controller (SBC) configured to work with Session Initiation Protocol (SIP) can mitigate the risk of data loss.
• Call intrusion: The auto-answer feature that comes standard on all video conferencing systems allows access to all callers, including any silent intruders who secretly discover the IP address of the equipment. When video conferencing equipment is set to manual call answering, all callers have to announce themselves when they arrive for the meeting. The answering party then controls who attends the meeting. Since the video conferencing equipment remains off until someone manually turns it on, setting the system to manual is a sure way to secure video conferencing endpoints, keeping intruders out and information safe.
Assess your secure video conferencing posture
Companies often choose the convenience of using the auto-answer feature. Even if an interloper should dial in, they may see this as a very low-risk vulnerability, according to Ira Weinstein, senior analyst and partner at Wainhouse Research.
With auto-answer enabled, no one has to touch anything. Participants arrive at the video conference or telepresence meeting room at the appointed hour, and when the calling party connects, the screen is activated and the meeting begins. Convenient? Yes. Secure? No. Hackers trawling for vulnerabilities can hit the IP address of the video conferencing equipment. When that happens, the auto-answer feature allows them to surreptitiously access the equipment and seize control of the cameras.
Weinstein said a multi-office firm with many partners who communicate regularly may decide that it doesn't matter if the auto-answer feature is on, as long as nothing proprietary is exposed to audio or video during the session.
"Companies have to choose between accessibility, security and cost-effectiveness," said Weinstein, an expert in secure video conferencing.
As for data leaks, Weinstein said that if conference room phone numbers are the only things exposed by a video conference system hack, a firm might decide the convenience is worth the risk. He has several video conferencing systems on in his office at any given time, all connected to the public Internet -- a choice he makes, he said, because he wants accessibility.
Other companies will have higher standards for secure video conferencing, according to Irwin Lazar, vice president and service director at Nemertes Research.
"Companies do want to guarantee that a meeting takes place only between two endpoints,"" and they are more and more looking at encryption solutions," Lazar said.
Dig deeper into secure video conferencing
Secure video conferencing: Assessment tools
Specialized tools for assessing secure video conferencing are available, including Metasploit, a
penetration testing application engineered by Rapid 7, a Boston-based company that recently performed a highly
publicized penetration test of video conferencing systems. The application includes a tool for
scanning and identifying vulnerabilities in video conferencing systems. Recent research by Rapid 7 concluded that auto-answer is a security hole that
can admit intruders into an Internet-connected system, according to CEO Mike Tuchen.
On the other hand, Weinstein said he thinks each organization should weigh the risk of enabling auto-answer for its meeting rooms before deciding to disable it.
Weinstein said auto-answer is a choice, and just as IT teams need to take steps to secure the
network and each personal computer, they also need to implement security for video conferencing
equipment . Lazar said if auto-answer is a concern, a solution using an enterprise SBC with SIP can
assure the call is from an approved caller.
H.D. Moore, Rapid 7's chief security officer, recommends that companies disable the feature entirely, although he agrees that IP-connected systems could be configured with SBCs and SIP for access control. Moore, who used Metasploit's rapid port-scanning tool to scan for security holes in IP-connected video conferencing systems, reported 5,000 video conferencing systems without gatekeepers auto-answered his incoming calls. He found he could easily have controlled video cameras and silently attended meetings.
Most of the video hacks that occurred with Rapid 7's port-scanning experiment could have been averted if the systems were connected through a SIP trunk with a correctly configured session border controller, according to Lazar.
Unfortunately, many network administrators may not realize that SIP is useful for video as well as for voice, Moore said. An SBC is good for thwarting auto-answer exploits, but the controllers are expensive and they have to be configured to use SIP in order to secure the video conferencing equipment.
Secure video conferencing best practices
1. Use a session border controller with SIP to secure IP-connected video equipment.
2. Train users to identify signs of hacked video conferencing equipment. "If you see [that] the camera starts to move around, someone's looking in," Rapid 7's Tuchen said. "If there are lights on the console or camera, that's an indication the system is in use before the call has gotten underway."
3. After a video conferencing call is connected, set the system call, by default, to mute mode. If a hacker does dial in, he or she can't hear your side of the conference until someone inside the meeting unmutes the call.
4. Remember the auto-answer feature on the video conferencing equipment is the same feature that allows a silent attendee to enter the meeting undetected.
5. If auto-answer is off, have someone (an IT administrator or a designated user) on hand to activate the system manually. It takes a little planning, but it will ensure that no uninvited guests may participate without being announced either by a sound or a visual alert on the screen.
Let us know what you think about the story; email: Lisa Sampson, Feature Writer
This was first published in February 2012