Hundreds of thousands of corporate video conferencing setups are fully open and vulnerable to spying attacks, new research has revealed.
Most corporate security teams are likely to be familiar with a scenario, where for the reasons of higher security, it is decided to arrange sensitive meetings in-house instead of using external venues such as hotels. Whilst internal meetings indeed have a certain advantage from a physical security perspective, this does not mean that they are automatically safe from unauthorised surveillance, and from remote attacks in particular.
According to the US hacker and researcher HD Moore, who spent months testing high-end video conferencing hardware and software, lazy habits and sloppy security settings make the equipment vulnerable to hacker infiltration. Moore, who works as the chief security officer at Rapid7, applied scanning tools to survey a small fraction of the Internet to find video conferencing hardware. As a result, he discovered that confidential conferences could be easily eavesdropped due to the rare practise of firewall protection.
WhiteRock fully endorses these results, and in our experience 9 out of 10 global businesses overlook the security protocols of their video conferencing facilities. The key oversight is the default factory auto-answer settings that the companies do not reconfigure. The other main vulnerability is that the companies do not implement the password protection policy, which should be restricted to administrational rights only.
During the tests, Moore was able to access video conferences held in corporate boardrooms, and at meetings in research facilities, law offices, and venture capital firms. In one case, the researcher was even able to dial into an ongoing conference, operate the camera and zoom-in on one individual to see him enter a password on his laptop without the participants noticing the moving camera for more than 20 minutes.
According to Moore’s estimations, at least 150,000 video conferencing setups are vulnerable to eavesdropping using the hardware's microphone and spying via the remote-controlled camera.
Coincidentally, only last week, the hacker group Anonymous published a recording on YouTube illustrating how they accessed highly sensitive information exchanged during a conference call between the FBI and Scotland Yard. Ironically, the main topic discussed by the Anglo-American police forces was how to unite their efforts in the fight against cyber crime. The eavesdropped conference call that took place a month ago also covered the tracking of Anonymous and similar groups, dates of planned arrests and details of evidence held.
The recording is obviously embarrassing for the top cyber crime professionals who should be leading the way. Instead, it demonstrates clearly how unsecure even their own videoconference systems are.
Read more from original source... 
