

Cameras May Open Up the Board Room to Hackers - bcn
http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.htm

======
bradleyland
When I did independent IT consulting, I had a client with a home in Florida
and an office in Pennsylvania. He purchased a _very_ nice high-def Polycom
unit for both locations so he could work from his office in Florida. It was a
nice setup that would make any remote worker jealous, with all the
pan/tilt/zoom you could dream of and quality that was out of this world.

My first visit was to solve a problem with the conferencing system. He could
see his office, but couldn't hear them. The problem ended up being an input
issue on his TV, not the Polycom itself, but in the process, I discovered
something horrifying. Both his unit and the one in PA were configured to auto-
accept incoming IP calls. He regularly kept the television turned off at his
home office, so if someone connected to his Polycom, the only evidence would
be the lights.

A quick inspection of the network revealed that there was no firewall. His PC
connected to a VPN, but the Polycom was open on the internet. When I asked him
how he was protected from a random person connecting to his Polycom, he said
"No one else knows the IP address." As if it were some kind of password. I
accidentally laughed out loud in one of those awkward moments where you
immediately realize that laughing was the inappropriate response. I explained
that attackers constantly scan IP ranges just looking for devices to exploit.

He, of course, had me disable the auto-answer feature immediately, but
wouldn't go the extra step of setting up a firewall between his office and PA.
I was flatly appalled that a Polycom integrator would install a unit on an
internet facing IP with auto-answer turned on.

------
mdwrigh2
HD Moore posted on the Rapid7 blog some of the technical details:
[https://community.rapid7.com/community/solutions/metasploit/...](https://community.rapid7.com/community/solutions/metasploit/blog/2012/01/23/video-
conferencing-and-self-selecting-targets)

------
yagibear
Previous discussion: <http://news.ycombinator.com/item?id=3498438>

