Videoconferencing security boils down to users

How susceptible videoconferencing systems are to hacking is dependent on how users configure and install their video systems, security observers note, adding that breaches can be avoided with the appropriate settings.

Their comments come after reports that a white hat had remotely hacked videoconference rooms. H.D. Moore, chief security officer at U.S.-based security vendor Rapid7, described in a New York Times report last month that he was able to remotely tour videoconference rooms of major venture capital and law firms, pharmaceutical and oil companies, and courtrooms located around the globe.

"The entry bar has fallen to the floor," Rapid7 CEO Mike Tuchen said in the report. "These are literally some of the world's most important boardrooms. This is where their most critical meetings take place, and there could be silent attendees in all of them."

The report further noted that while no company, to date, announced its videoconferencing systems had been hacked, this did not mean they were not immune to hacking attacks.

However, Ira Weinstein, partner and senior analyst at Wainhouse Research, noted that companies can protect their videoconferencing systems from security attacks if they know how to configure and install the equipment.

He explained that that when an organization's videoconferencing system is deployed behind the enterprise firewall, it will be protected from outside attempts to access the system, making it more difficult for external parties to communicate with the company via this platform.

For this reason, Weinstein noted that organizations often take the "easier" approach and place their videoconferencing systems outside the firewall, leaving the systems on the public Internet and accessible by external parties.

However, he stressed that doing so does not necessarily expose the company to security risks.

No sensitive data involved, security features included
According to Weinstein, videoconferencing systems do not contain sensitive data. Should hackers penetrate the system, they will only gain access to the contact directory and possibly, a log of video calls.

"This is very different from the risks associated with someone hacking an enterprise server," he said.

Furthermore, video systems do not store enterprise data or connect to an enterprise directory or groupware system, so the risk associated with unauthorized access is usually limited, he said.

Walter Lee, CEO of e-Cop, agreed and added that most videoconferencing equipments have security features.

For example, most videoconferencing equipment comes with encryption technology so the data stream will be encrypted, Lee said. The system is also protected with an administrator password which must be entered in order for users to log into and access the device.

Most devices also have the auto-answer function "turned off", so if someone places a video call to a system--when a conference is not supposed to take place--the call will not automatically connect, and will only do so when the administrator password is provided, he added.

Tor Halvorsen, collaboration solution architect at Cisco Systems, also noted that any Web-connected device would be susceptible to hacking. He said Cisco equipment is build with security certificates and encryption to prevent hacking, adding that functions and auto-answer features can be turned off to maintain a secure work environment.

According to Weinstein, videoconferencing systems only pose security risks when users install the video system, place it on the public Internet, enable remote management, do not set up an administrative password, turn on auto-answer, and set the system to "un-mute microphones" when in auto-answering mode.

"Assuming the above, a remote video system or user can connect to a video system and remotely monitor a meeting room," said the Wainhouse analyst. "The net of the above is that it is possible to connect to a video room without permission, but the video room must have been installed in such a way to make this possible."