Vulnerable videoconferencing a major problem for companies

Misconfigured videoconferencing systems can let hackers listen in on privileged boardroom discussions or use PTZ (pan/tilt/zoom) cameras to see confidential reports left lying on conference room tables--so warns HD Moore of vulnerability management firm Rapid7 in a report that first appeared on The New York Times.

The problem is real, given the apparent propensity for administrators to setup Internet-enabled videoconferencing systems outside corporate firewalls. And when toggled to automatically answer incoming calls--the default configuration for some brands--this security hole simply begs to be hacked. You can read more about the issue in today's coverage.

The damage is all the greater given that home users and SMBs are unlikely to deploy such expensive systems. Observed Moore, "What made this interesting is that you are only going to find places that can afford $25,000 videoconferencing systems, so it's a pretty self-selecting set of targets."

The problem isn't a new one, and it mirrors the situation encountered by early adopters of IP telephony, which itself heralds back to a time of phreaking, or meddling in conventional telephone systems to avoid paying usage charges. In this instance, improperly secured IP PBX (private branch exchange) systems are infiltrated by unauthorized users who proceed to rack up a huge volume of overseas calls. And given the post-paid nature of conventional phone systems, it may be a couple of months before someone from the accounts department sounds an alarm over phone bills that could well amount to hundreds of thousands of dollars.

While the problem with videoconferencing systems speaks more of a misconfigured system, it is important to understand that the root issue is really one of responsibility. Many IT initiatives such as the setting up of videoconferencing systems or IP cameras were often initiated as "pet" projects of non-IT executives.

Sometimes, after product demonstrations and quotes, the selected vendor that comes down to install the gleaming new systems are faced with a taciturn IT department that may have had little or no say in the project. Eager to show a working deployment, vendors may set up such systems with little regard for the existing network topology or security considerations.

Ultimately, IT departments are responsible for managing the new systems--or so the management believes. But it is not uncommon for the IT department to adopt a hands-off approach to foreign deployments, with a "just call the vendor" mentality, should anything break down. This is obviously a recipe for disaster.

In a nutshell, the importance of IT department buy-in is absolutely crucial when deploying new IP-based systems. Specific staffers should be delegated as responsible for every new system that gets rolled out. And as the number of systems increase, responsibilities should also be adjusted to reflect the growing workload. - Paul Mah  (Twitter @paulmah)