Over the past six years, high-definition videoconferencing systems have become increasingly ubiquitous in corporate boardrooms and meeting rooms. The benefits of videoconferencing – productivity gains, cost savings, competitive advantage, and more – have long been obvious. But, until recently, the associated security risks have not received much attention.
That changed two months ago, when security researchers at Rapid7 went public with an analysis of significant vulnerabilities in corporate videoconferencing systems. According to Rapid7 researchers HD Moore and Mike Tuchen, those vulnerabilities could allow attackers to eavesdrop on confidential meetings, read documents sitting on a conference room table, or even zoom in to record keystrokes (such as passwords) typed by meeting participants on their laptops.
The vulnerabilities, which were picked up and publicized by The New York Times and Wired, boiled down to two primary issues: “A large portion of video conferencing equipment is connected to the Internet without a firewall and is configured to automatically answer incoming video calls,” the Rapid7 researchers wrote in a blog post. “This allows a remote intruder to monitor both audio and video information, often with little or no indication to the target.”
So what can companies do to prevent such attacks?
Tuchen, Rapid7’s CEO, says it’s actually very simple to ensure basic security. The most significant mistake many companies make, he says, is to place the system directly on the Internet rather than putting it behind a firewall and leveraging a gatekeeper or a session border controller. “Because that’s a little bit of a hassle to configure correctly, a lot of people do take the shortcut and just stick it on the Internet,” he says.
Based on what he and Moore saw, Tuchen estimates that approximately 150,000 companies’ systems are placed outside the firewall – and worse, he says, they’re set to auto-answer. “It’s like if you bought a conference phone, and whenever anyone dialed the number it automatically picked it up and turned the phone on,” he says. “There’s not a phone company in the world that would do that, but for a videoconferencing company, they decided to do that, because videoconferencing systems are more complex.”
And so, Tuchen says, the first two steps that companies should take to improve videoconferencing security are pretty easy to guess: don’t put the system on the Internet directly, and don’t set it to auto-answer. “You can also set up these systems such that when you do connect, they start the connection muted, and you have to hit another button to un-mute – and we recommend that as well,” he says.
Other straightforward ways to improve security, Tuchen says, include simply unplugging the system or covering up the camera when not in use.
User training is also key. Many systems don’t beep when connected or include an easily noticeable light to identify that the camera is turn on, Tuchen says, so employees have be taught what to watch for. “If you’re sitting a meeting and you see the camera starting to swivel around, that’s a problem … there are a couple of simple things that you want your people to understand and look for, and if they see a problem, stop the meeting and let the IT team know,” he says.
In many cases, Tuchen says, it’s also worth bringing in a third party to do a vulnerability assessment. “If you’re a very heavy user of videoconferencing, then you should have that system in particular tested for its security,” he says. “Other than that, our recommendations for most people are to do a broad-based security assessment across your entire attack surface, if you will – and as part of that, the consultant should look at the videoconferencing.”
Security Team, Meet AV Team
According to Moore, Rapid7’s CSO, many of the security issues that he and Tuchen came across can be attributed to the fact that videoconferencing deployments are often managed by a company’s AV group, not by IT. “Getting the IT folks more aware of where those devices are, how you configure them, what the security flaws are, and making sure that the security team is aware of them and tests them as well, has been a huge driver for improving the security of these systems,” he says.
Aberdeen Group research analyst Hyoun Park says that’s often the crux of the problem. “Line-of-business end users often don’t think about all of the security and compliance issues that IT would have taken for granted if they had been responsible for the purchase,” he says.
It’s really not an issue of device or system functionality, Park says – it’s all about the implementation. “The problem comes into place when companies decide to buy these technologies outside of their traditional IT purchases … and when that purchase structure gets broken down, that’s when these non-standard and insecure deployments come into play,” he says.
And so, Park says, it makes sense for many companies to turn to an outside consultant for guidance in installing a videoconferencing system correctly. “Our research shows here at Aberdeen that very few organizations have all the skill sets that they are seeking associated with videoconferencing – videoconferencing simply isn’t a core competency for most IT departments,” he says. “So at least in the installation process, if security is an issue and if a company doesn’t have prior experience, it’s a good idea to bring in a consultant.”
Still, David Morrison, senior product manager at videoconferencing provider LifeSize, says it’s crucial to keep in mind that none of this is particularly complex. “It’s like your front door – it has a key and a lock, and if you choose not to use it, or if you don’t know what it’s there for, people can walk in,” he says. “It’s pretty much the same situation with videoconferencing – you have all these tools available to you to lock down your system and make sure nobody can get illegal access to it or call into it without your knowledge.”
And that’s true, Morrison says, whether you choose to maintain on-premises equipment or leverage a cloud-based solution. “If I’m an organization with a very small IT group, I may not want to bring that knowledge-based expertise in-house just so I can manage it on-premises – I would choose cloud – and likewise, if I’m a larger company and I have a very good IT group, I may choose to just manage it myself … but you get the same level of security through both solutions,” he says.
Regardless of the specifics of the deployment, there’s no reason to view videoconferencing security as a significant challenge. “These are secure devices that can be implemented … to assure the executives of a company that they’re not being hacked into during a call, nobody is watching their meeting – and nobody is in their room when they’re not there,” Morrison says.
The bottom line: Videoconferencing equipment can be made secure – you just have to make sure the systems are installed and configured correctly.
Jeff Goldman is a freelance journalist based in Los Angeles. He can be reached at firstname.lastname@example.org.