[ISN] Video-Conferencing Hole Exposed

From: InfoSec News (isnat_private)
Date: Mon Sep 16 2002 - 03:12:06 PDT

  • Next message: InfoSec News: "[ISN] P2P worm targets Linux Apache Web servers"

    Forwarded from: William Knowles <wkat_private>
    By Michelle Delio 
    2:00 a.m. Sep. 16, 2002 PDT 
    Malicious hackers are no longer limited to looking at private data -- 
    now they can also see their victims. 
    Even a relatively unskilled attacker can transform some 
    video-conferencing systems into video-surveillance units, using the 
    devices to snoop, record or publicly broadcast presumably private 
    video conferences. 
    A half-dozen exploits have recently been discovered in the operating 
    system of Polycom's popular ViewStation device. 
    Some of the issues have been addressed in a system upgrade released 
    last week, but many users said they weren't advised they needed to 
    upgrade their ViewStation's operating system and were unaware of the 
    security problems. 
    Attackers can easily retrieve ViewStation administrator passwords, 
    remotely take control of the device and record or monitor video 
    conferences, according to Eric Goldberg, general manager of 
    Navastream, a company that provides communication security services. 
    "There are some very serious problems," confirmed Ken Pfeil, senior 
    security consultant at Avaya, a company that designs, builds and 
    manages corporate communications networks. "A hacker could very easily 
    take administrative control over the entire conferencing system. One 
    would need only a Web browser to point and click their way into the 
    The ViewStation is vulnerable to denial-of-service attacks and other 
    sorts of data-flood attacks that can destabilize the system and allow 
    an attacker to gain control over it. 
    Goldberg added that even after the ViewStation system upgrade is 
    completed, some security flaws remain. 
    Navastream researchers discovered that ViewStation passwords are 
    transmitted in "clear text," unencrypted and easily readable to anyone 
    who is snooping on the system. 
    Goldberg said Polycom's patch does not address the clear-text issue. 
    "Any potential attacker monitoring the connection with a network 
    sniffer will be able to retrieve the password to gain access to remote 
    management controls," Goldberg said. "And if I were to gain remote 
    control, I could turn on the device and publicly broadcast over the 
    Internet every meeting a corporation held in a room with a 
    Goldberg also said that once a system was penetrated, an attacker 
    could create a simple programming script that virtually anyone could 
    use to access that system remotely. 
    According to Patty Azzarello, chief marketing officer of Polycom, 
    upgrading the ViewStation's operating system provides protection from 
    many of these exploits. The upgrade was released last week. 
    Affected units are Polycom ViewStation 128 Version 7.2 and earlier, 
    Polycom ViewStation H.323 version 7.2 and earlier, Polycom ViewStation 
    512 version 7.2 and earlier, Polycom ViewStation MP version 7.2 and 
    earlier, Polycom ViewStation DCP version 7.2 and earlier, Polycom 
    ViewStation V.35 version 7.2 and earlier, and Polycom ViewStation 
    FX/VS 4000 version 4.1.5 and earlier. 
    Some ViewStation users complained that Polycom didn't openly announce 
    the security issues on their website or notify users, and said they 
    didn't announce that the system upgrade was necessary to secure their 
    In three separate calls to Polycom technical support, none of the 
    representatives was aware of the security issues addressed by the 
    Azzarello said the company's sales force and marketing partners had 
    notified their customers that they needed to update their product's 
    operating systems. 
    "Regarding the technical support issue, we educate the technical 
    support representatives regarding all new product information, 
    upgrades and patches," Azzarello said. "Your experience indicates the 
    need to revisit this topic with the support staff, which we are in the 
    process of doing." 
    In addition to keeping up with patches, placing video-conferencing 
    devices behind a protective firewall is advisable, experts say. 
    Dedicated video-conferencing security products such as Navastream's 
    VIP are also available. 
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 16 2002 - 06:01:40 PDT