Is Your Videoconferencing System Compromising Your Network?

Videoconferencing systems can create a huge hole in your company's security. Thankfully, the problem may be very easy to fix.

Here's how:

Check the security of your company's videoconferencing system -- which is probably a Polycom or Cisco Systems unit -- in the boardroom or conference room. You'll probably notice there is no password protection, autoanswer is turned on and the conference system itself is set up outside the corporate firewall. Plus, the lens of the unit may be uncovered.

If you find any of these things, fix them and be done with it. It may take only a few minutes, and then no longer will you be wondering whether your meetings have had any uninvited guests.

According to a story that appeared in the Jan. 22, 2012 edition of "The New York Times," executives of security firm Rapid7 went virtual conference-room surfing, making stops at locations including Goldman Sachs, venture capital firms, drug companies and other major players. Using standard Internet protocol (IP) videoconferencing, they scanned for systems with autoanswer-enabled and took advantage of the non-existent security, visiting conference rooms seemingly pretty much at will.

According to the article:

The most popular units, sold by Polycom and Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security that hackers can use against them.

Whether real hackers are exploiting this vulnerability is unknown; no company has announced that it has been hacked. (Nor would one, and most would never know in any case.) But with videoconference systems so ubiquitous, they make for an easy target.

I won't share more of the story, which I hope you will read. There's a sort of Keystone Cops-meets-IT quality about it, but I can imagine a less-than-truly paranoid IT tech might install a conferencing system without thinking about the consquences of making it (too) easy to access.

Or leaving it too easy to access: According to the article, Polycom ships units with autoanswer turned on, leaving customers responsible for configuring several available security features. Genius-level stuff, I know.

If you do a Google search on "videoconference security" you will find mostly garbage -- some of it dating back to ISDN conferencing. The good news is that, even without Google, fixing the problem is pretty simple: Turn off autoanswer, add a password, get the conferencing system inside the corporate firewall. Then go forth and sin no more.