Meetings vulnerable to hackers

Updated: 2012-02-05 08:02

By Nicole Perlroth (The New York Times)

  Comments() Print Mail Large Medium  Small 分享按钮 0

Meetings vulnerable to hackers

Mike Tuchen, left, and HD Moore of Rapid7 found a threat from hackers. Gretchen Ertl for The New York Times

SAN FRANCISCO - One recent afternoon, a hacker took a tour of a dozen conference rooms around the globe via equipment that most every company has in those rooms: videoconferencing equipment.

With the move of a mouse, he steered a camera around each room. The hacker could have easily eavesdropped on privileged attorney-client conversations or read trade secrets on a report lying on the conference room table.

The hacker was HD Moore, a chief security officer at Rapid7, a Boston-based company that looks for security holes in computer systems. His latest find: videoconferencing equipment is often left vulnerable to hackers.

Businesses collectively spend billions of dollars each year improving security on their computer systems and employee laptops. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room where their most guarded trade secrets are openly discussed.

Mr. Moore has found it easy. He even found a path into the Goldman Sachs boardroom. "The entry bar has fallen to the floor," said Mike Tuchen, chief executive of Rapid7. "These are literally some of the world's most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them."

Instead of secure phone lines, most businesses use Internet protocol videoconferencing - a version of Skype.

At last count, companies spent an estimated $693 million on group videoconferencing from July to September of last year, according to Wainhouse Research.

The most popular units, sold by Polycom and Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture and audio that can pick up the sound of a door opening 90 meters away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security.

Two months ago, Mr. Moore wrote a computer program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he had scanned 3 percent of the Internet.

In that sliver, he discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities and medical centers. Among the vendors that popped up in Mr. Moore's scan were Polycom, Cisco, LifeSize and Sony. Polycom was the only one of those that ships its equipment with the auto-answer feature enabled by default.

In an e-mail, Shawn Dainas, a Polycom spokesman, said the auto-answer feature had several safety elements built in that customers could activate.

Mr. Tuchen of Rapid7 said that as a shortcut, businesses put their videoconference systems outside the firewall, allowing them to receive calls from other companies without having to do any complex network configuration.

In some cases, Mr. Moore discovered he could leap from one open system into its address book and dial into the conference rooms of other companies, even those companies that put their system behind the firewall.

That was the case with Goldman Sachs. The bank's boardroom did not show up in Mr. Moore's scan but an entry labeled "Goldman Sachs Board Room" was in the directory of a firm that Goldman Sachs conferences with. Mr. Moore did not disclose the name of the law firm and said that because he was afraid of "crossing a line," he did not dial into Goldman Sachs.

Said Mr. Tuchen, "Any reasonably computer literate 6-year-old can try this at home."

The New York Times