A Boston-based hacker who gets hired by companies to find holes in their cybersecurity now says videoconferencing equipment is, in general, wide open to attack.
H.D. Moore, the security chief at a firm called Rapid7, said many offices with videoconferencing rooms are often overlooked while companies look at smartphone and laptop security instead, the New York Times reported. Now that so much of what companies do runs online, it's exposed the soft underbellies of video equipment in top law, pharmaceutical and financial firms Moore said.
The report said many IT managers are setting up the video equipment outside the firewall and that they have become easy targets because they are more or less Skype on steroids. With so much data online, Moore says he has been able to search online and tap right into hundreds of systems at will. He attributed the problem in part to the difficulty and expense of properly securing the systems.
Another problem is that companies are setting up their systems where anyone calling into a session can do so anonymously. On many video calls, when someone dials in, they have to be accepted by someone already on the call. With the anonymous calling, anyone can dial in and listen.
A company called Polycom sells more videoconferencing setups than anyone, and by default, their equipment is set up for just this kind of auto-answer function that could allow anyone to eavesdrop on video conference calls. There are safety features like password protections, auto-mute and camera control lockup, but it is up to the companies who buy the units to set them up properly, the report added.
It boils down to whether organizations are aware of the risk, and our research indicates that many, even well-heeled venture capital firms, were not aware and do not implement even the most basic of security measures, Moore told the Times.