Video-Conferencing Hole Exposed

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.wired.com/news/technology/0,1282,55145,00.html

By Michelle Delio 
2:00 a.m. Sep. 16, 2002 PDT 

Malicious hackers are no longer limited to looking at private data -- 
now they can also see their victims. 

Even a relatively unskilled attacker can transform some 
video-conferencing systems into video-surveillance units, using the 
devices to snoop, record or publicly broadcast presumably private 
video conferences. 

A half-dozen exploits have recently been discovered in the operating 
system of Polycom's popular ViewStation device. 

Some of the issues have been addressed in a system upgrade released 
last week, but many users said they weren't advised they needed to 
upgrade their ViewStation's operating system and were unaware of the 
security problems. 

Attackers can easily retrieve ViewStation administrator passwords, 
remotely take control of the device and record or monitor video 
conferences, according to Eric Goldberg, general manager of 
Navastream, a company that provides communication security services. 

"There are some very serious problems," confirmed Ken Pfeil, senior 
security consultant at Avaya, a company that designs, builds and 
manages corporate communications networks. "A hacker could very easily 
take administrative control over the entire conferencing system. One 
would need only a Web browser to point and click their way into the 
system." 

The ViewStation is vulnerable to denial-of-service attacks and other 
sorts of data-flood attacks that can destabilize the system and allow 
an attacker to gain control over it. 

Goldberg added that even after the ViewStation system upgrade is 
completed, some security flaws remain. 

Navastream researchers discovered that ViewStation passwords are 
transmitted in "clear text," unencrypted and easily readable to anyone 
who is snooping on the system. 

Goldberg said Polycom's patch does not address the clear-text issue. 

"Any potential attacker monitoring the connection with a network 
sniffer will be able to retrieve the password to gain access to remote 
management controls," Goldberg said. "And if I were to gain remote 
control, I could turn on the device and publicly broadcast over the 
Internet every meeting a corporation held in a room with a 
ViewStation." 

Goldberg also said that once a system was penetrated, an attacker 
could create a simple programming script that virtually anyone could 
use to access that system remotely. 

According to Patty Azzarello, chief marketing officer of Polycom, 
upgrading the ViewStation's operating system provides protection from 
many of these exploits. The upgrade was released last week. 

Affected units are Polycom ViewStation 128 Version 7.2 and earlier, 
Polycom ViewStation H.323 version 7.2 and earlier, Polycom ViewStation 
512 version 7.2 and earlier, Polycom ViewStation MP version 7.2 and 
earlier, Polycom ViewStation DCP version 7.2 and earlier, Polycom 
ViewStation V.35 version 7.2 and earlier, and Polycom ViewStation 
FX/VS 4000 version 4.1.5 and earlier. 

Some ViewStation users complained that Polycom didn't openly announce 
the security issues on their website or notify users, and said they 
didn't announce that the system upgrade was necessary to secure their 
devices. 

In three separate calls to Polycom technical support, none of the 
representatives was aware of the security issues addressed by the 
update. 

Azzarello said the company's sales force and marketing partners had 
notified their customers that they needed to update their product's 
operating systems. 

"Regarding the technical support issue, we educate the technical 
support representatives regarding all new product information, 
upgrades and patches," Azzarello said. "Your experience indicates the 
need to revisit this topic with the support staff, which we are in the 
process of doing." 

In addition to keeping up with patches, placing video-conferencing 
devices behind a protective firewall is advisable, experts say. 

Dedicated video-conferencing security products such as Navastream's 
VIP are also available. 


 
*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.