Researchers have discovered that some video conferencing products were too easy to be hijacked by hackers and use the system to snoop into companies’ private conferences, also putting at risk important data.
Hackers can remotely control the operating system through a vulnerability found in four products from Lifesize, stated researchers from the security firm Trustwave. The conferencing products are Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker.
Attackers could easily gain access to these products, and all they need to know to hijack the system is the serial number of the device.
Moreover, the information on Lifesize support page, and with the help of a few more software tools, a hacker can find an entrance to an account. The default support account for the devices is also easy to access if users don’t change the default password, helping hackers to compromise the data.
Researchers found out that there is a programming error that lets users in, and with a privilege escalation bug and the command injection vulnerability, a hacker can gain full control of a device, explained the director of Trustwave’s Spiderlabs research department, Ed Williams, in an interview with ZDNet:
With this you have access to everything. Any video or audio stored on that machine will be gettable fairly trivially.
What happens next? Williams added that the device controlled by someone from outside could become a “launchpad” and attack more devices:
Say this audio equipment is internet-facing, you can get access to the underlying operating system through this vulnerability. From an external attack, you can potentially gain internal access – it’s a worse case scenario, but potentially very serious.
Moreover, the attack will be silent, and nobody will know if the device was compromised, which also means that there is a possibility that this vulnerability was already exploited:
It’d be difficult to tell if a device had been accessed, because these type of devices don’t have very good logging. As a result it’s difficult to see what’s going on, so it’d be difficult to find out if this is the root cause of an attack. Attackers are likely to be looking for and using this.
The chief technology officer at Lifesize, Bobby Beckmann, stated that they would issue a patch for the Lifesize products and solve the issue as quickly as possible.
Jeff Wilkinson is a Senior Politics Reporter at Debate Report covering provincial and national politics, . Before joining Debate Report, Jeff worked on several provincial campaigns including Jack Layton. Jeff has worked as a freelance journalist in Toronto, having been published by over 20 outlets including CBC, the Center for Media and VICE.com.