H.323 “hacking” without coding in 2006
Recently some news came out from NY Times and HD Moore where he was doing some targeted scanning and found a bunch of open H.323 videoconference systems open and ready for viewing. What he found was that a lot of these systems are deployed outside of the firewall on the Internet without any security and with auto-answer turned on, and these were sometimes installed in sensitive board rooms, etc. Then, along came some videoconferencing guy who said some of HD’s claims were bunk. Then Rapid7 and HD fired back, and yada, yada, yada (you can read a better run down here at Computerworld).
What I find funny about this is that this has been an issue for a long time. Back when I was an InfoSec manager, I put in a videoconferencing system in 2006 to facilitate some communication with a sister company. When we set it up originally, I found that there were a lot of issues with putting an H.323 device behind a firewall. NAT broke it pretty easily, and I ended up putting it on the outside of the firewall for a time when we needed to setup a session, and I tore it down immediately after (we ultimately setup a private T-1 between us so we would have no issues – there was some sensitive info going across the line in those sessions). But when I was getting it setup for the first time and doing some testing, I found that the Polycom unit I was using had some test sites already in the address book. So I connected to a few of those to make sure things were working. I even had folks on the other end try to connect to me (yes, there were people on the other side just kinda hanging out. In fact, there were a few sites where it was like, you guessed it, a Google+ hangout – it was kinda fun and weird at the same time).
But after discovering that, I decided to turn on a bit of Google-fu and see if there were other sites out there that were also open. And again, the answer was yes. Google linked to a lot of sites (like this one) that had a list of “test” H.323 locations ready for connection. But what I quickly found out was that many of these “test” units did not seem to be for testing purposes at all (or maybe they had been at one time but someone forgot to secure them after they had been repurposed to a “real” site). Many were companies that often had these VC units setup in sensitive areas. Some of these had their audio and connected TV’s turned on, and people in the room would notice when a connection occurred. But very often i found that some had their audio and TV’s turned off, or the folks in the room ignored the connection signal. Basically, what HD said here:
…we did prove that most VC equipment provided little or no warning when an attacker dialed into the system. In most cases, the television set is off unless a call is expected. If the television is off, there is little indication that a call is in progress. The reason for this is two-fold;
First – the base unit, not the camera, is usually what has an indicator that turns on when a call is in progress. The base units are often stashed behind a cabinet, near the floor, or generally out of sight.
Second – newer cameras (specifically, the Polycom HDX series) are extremely quiet while being panned or zoomed and the only indication they provide is the direction they are facing. We conducted a “blind” test where the conference room VC unit was accessed during a Rapid7 general staff meeting. Twenty minutes into the meeting, nobody had noticed the camera swinging from the rest position to pointing at a participant’s laptop screen, zoomed in to capture his email and keystrokes.
After connecting to a couple of them and hearing and seeing snippets of very sensitive discussions and realizing that these cameras were very good at zooming into documents, I decided to stop it. I am kinda bummed that I didn’t write about it in my blog back then (at least I don’t remember doing so, and I can’t find it in my archives), but oh well. I didn’t do any cool coding like HD did, and I am pretty sure this would still be a problem today anyway.
So basically, HD is right, and the VC dude is wrong. This is a problem. I know. I have seen this first hand by my own actions. I heard things that I wish I would not have heard about (maybe that is why I didn’t publish anything back then). Not crazy guvment secrets or anything, but it still was information that I could have used to hurt folks or profit from if I was that kind of person.
So IT and security folks, take a look at your videoconferencing setups. Realize that there are a lot of bad settings turned on by default, so make sure you lock them down. Get them off the Internet. Pay attention to where they are located. This can cause you a big headache.
[UPDATE: After re-reading my post and after reading the first comment, I want to say something. I am not saying that HD didn’t do something cool, and I am not trying to disparage his work in any way. HD uses code, and he does it very well. I don’t have the mad skillz that he does, and putting those scans together is pretty dang cool. I am glad someone with his platform showed that this was an issue that needed to be addressed. I was merely trying to point out that the issue has been around for a while and that I found it in other ways that didn’t involve coding.]