SAN FRANCISCO - This month, a hacker toured a dozen conference rooms around the globe via equipment that most every company has: videoconferencing equipment.
With a mouse, he steered a camera around each room, zooming in with such precision that he could discern paint flecks on the wall. The hacker could have eavesdropped on attorney-client conversations or read trade secrets. The hacker was HD Moore, a chief security officer at Rapid 7, a Boston company that looks for security holes in computer systems. His latest find: Videoconferencing equipment is often left vulnerable.
Businesses spend billions of dollars each year beefing up security on their computer systems. They agonize over the confidential information employees send to their Gmail and accounts and store on iPads. But rarely do they give much thought to the ease with which anyone can penetrate a videoconference room.
Moore has found it easy to get into venture capital and law firms, pharmaceutical and oil companies, and courtrooms.
“The entry bar has fallen to the floor,’’ said Mike Tuchen, chief executive of Rapid 7. “These are literally some of the world’s most important boardrooms - this is where their most critical meetings take place - and there could be silent attendees in all of them.’’
Today, most businesses use Internet protocol videoconferencing - a souped-up version of Skype - to connect. Most of the systems were designed with visual and audio clarity - not security - in mind.
Rapid 7 says businesses are investing in top-quality videoconferencing units but setting them up on the cheap. The most popular units, sold by Polycom and Cisco, can cost as much as $25,000 and feature encryption, high-definition video capture, and audio that can pick up the sound of a door opening 300 feet away. But administrators are setting them up outside the firewall and are configuring them with a false sense of security.
New systems can automatically accept inbound calls so users do not have to press an “accept’’ button. The effect is anyone can dial in and look around a room, and the only sign of their presence is a tiny light on a console unit, or the swing of a camera.
Moore wrote a program that scanned the Internet for videoconference systems that were outside the firewall and configured to automatically answer calls. In less than two hours, he discovered 5,000 wide-open conference rooms. He stumbled into an attorney-inmate meeting, an operating room, and a venture capital pitch meeting.
In some cases, Moore discovered he could leap from one open system into its address book and dial into the conference rooms of other companies, even those behind a firewall. That was the case with Goldman Sachs. Its boardroom did not show up in Moore’s scan but “Goldman Sachs Board Room’’ popped up in a law firm’s directory. Moore said that because he was afraid of “crossing a line,’’ he did not dial into Goldman Sachs.
Said Tuchen, “Any reasonably computer literate 6-year-old can try this at home.’’