Video Conferencing Security
Business video conferencing technology received some wide-spread attention last week when this report was filed in the New York Times about how video conferencing systems in some of the world’s largest and most prestigious companies were leaving the door open to hackers from the Internet to listen in on your meetings. The article explains how a security researcher was able to scan the Internet for video conferencing systems using information widely known and published about such systems.
The report may have you thinking “is my system vulnerable to this attack?” The issue is simple to diagnose; when you receive video calls, do you have to press a button (on a remote, touch panel or conference phone) to answer calls? If you have to take an action to answer a call, you are safe from this type of eavesdropping. Can you call to the “outside world” or receive calls? If you cannot, your system may be placed inside the network and only accessible to other company systems. The risk of unwanted people attending your meetings is greatly diminished if the only systems that can call the room are internal to the company. You may want to confirm this positioning with your IT team.
The article makes mention of some ways video conferencing users can protect themselves. All systems allow for an “auto-answer” feature to make video conferencing easy, and for testing purposes. Most systems, including those made by the major manufacturers (Cisco, Polycom and LifeSize) allow you to specify that auto-answered calls will connect with the microphone turned off. The safest thing to do is to turn auto-answer off completely, but the downside is that users need to take action to answer a call – this can adversely affect adoption of the technology. Far-end camera control or FECC is a capability of most systems that include a pan-tilt-zoom type of camera. It allows control of your room camera by the system you are connected to. FECC can be turned off and on in the menus of a system or in the system’s web interface.
Speaking of the web interface: something the article forgot to mention is that many of these systems are like small computers, with many capabilities including the ability to command and control the systems via a web browser interface. Every manufacturer protects these features with a password, but many administrators and end-users fail to change the password from the default. Once an attacker locates your system, they can attempt to log on control it with the web interface, access your recent calls and directory and potentially explore the network the unit is connected to.
Even if your video conferencing system needs to be able to be called by the outside world, it should still be placed behind a firewall. The firewall allows you to specify which ports are able to be “seen” by the Internet, and which IP addresses can access them. If you want to be able to receive calls but don’t want the outside world playing with your web interface, you can block access to the web port (port 80). If you discover calls to or from unauthorized parties, you can also use the firewall to block the offending caller’s IP address. If you want to get even more restrictive, you can restrict outside callers to an explicit white list, prohibiting everyone else from connecting.
If you want the top solution to the problem of video conferencing security, there are products from Cisco, Polycom, LifeSize and Radvision that are specifically designed to make the management of your video conferencing infrastructure easy and secure. These so-called “Gatekeeper” products double as secure firewall traversal appliances, allowing your video conferencing system to live safely behind the corporate firewall while staying accessible to those you with whom you wish to communicate. Beyond added security, these appliances let you implement a dial plan that makes calling systems and bridges more friendly to your users, eliminating the need to memorize or recognize IP addresses. Gatekeepers can also allow you to track equipment utilization and help you calculate the return on your video conferencing investment.
If you are concerned about the security of your video conferencing system or interested in investigating what a gatekeeper appliance can do for your company, give our AV Custom Solutions team a call.
-Levi Glennie, Professional Services Video Specialist
