There is video conferencing equipment that connects to the Internet without a firewall and automatically answers incoming video calls which can allow an intruder to monitor audio and video with little or no indication to the victim.
“The interesting part of this research is who it affects; these units can cost anywhere from a few hundred dollars (used) to tens of thousands of dollars for high-end room systems,” said Rapid7 Chief Security Officer HD Moore in his blog post. “It is rare to find a high-end video conferencing system in an unimportant location. Examples identified by this research include corporate boardrooms, inmate-lawyer consultation areas, venture capital firms, and research facilities.”
In his 3-month long research, Moore, the creator of Metasploit, focused on equipment that spoke the H.323 protocol. Of the 250,000 systems identified with this service, just under 5,000 were configured to automatically receive incoming calls.
“There are an estimated 150,000 systems on the Internet as a whole affected by this issue,” Moore said in his blog. “This does not count the hundreds of thousands of video conferencing systems exposed on the internal networks of large corporations.
“Even cheap video conferencing systems provide an incredible level of visual acuity and audio reception,” Moore said. “In the Rapid7 lab, we were able to easily read a six-digit password from a sticky note over 20 feet away from the camera. In an otherwise quiet environment, it was possible to clearly hear conversations down the hallway from the video conferencing systems. In most cases, the remote user has the ability to drive the camera — controlling pan, tilt, and zoom — providing visibility into areas far away from where the system is actually installed. A separate test confirmed the ability to monitor a user’s keyboard and accurately capture their password, simply by aiming the camera and using a high level zoom. Another test demonstrated the ability to read a user’s email on their laptop screen. If the system is connected to a television set that has not been powered on, the only indicator that a call is active will be the movement of the camera itself or a small light on the base of the system. Many of the high-end models do not include a visual indicator of a call in progress on the camera at all.”
One way to see if the system is susceptible is to scan the network using Metasploit. Metasploit, originally created by Moore and now managed by Rapid7, contains modules for scanning for H.323 services.
“All shipping Metasploit editions contain a scanner module for quickly identifying H.323-enabled systems that accept incoming calls,” Moore said in his blog. “This module is in the default discovery mode of Metasploit Pro (free trial) and can scan a large network to identify affected systems. This process also works for the free Metasploit Community Edition.
The process for using Metasploit Pro to discover exposed H.323 devices is:
1. Login to the web interface on https://metasploit:3790/
2. Create a new Project
3. Choose the Scan option
4. Expand “Advanced Options” and enter “1720” into the Custom TCP Ports parameter
5. Uncheck UDP and SNMP discovery options to increase scanning speed
6. Launch the Scan task
7. Once complete, browse to Analysis -> Services
8. Enter “h323” into the Search box on the upper right
“Video conferencing systems are one of the most dangerous but least-known exposures to organizations conducting business of a sensitive nature,” Moore said. “Although many vendors provide some security measures, these tend to be ignored in the real world, by both IT staff and security auditors.”