“If it can be hacked, it will be hacked:” this is the sentiment from the recent 2015 Black Hat Conference in Las Vegas where dozens of presenters identified gaps in the security networks of companies in order to showcase where improvements needed to be made. Of particular interest is a ubiquitous piece of technology that graces many of today’s boardrooms, namely the video conferencing system. It was revealed that without the right protections, it was actually a rather simple matter to dial into the system observe meetings as they took place. The potential for malicious use of information obtained utilizing this process is staggering and, as such, shows why a greater level of awareness of the issue as well as the implementation of better methods of protection are needed to counter such a threat.
What Can Hackers Find Out?
In 2012 Wired.com released an article on how two computer experts, Moore and Tuchen, were able to digitally access several boardrooms and meeting areas of not only prominent companies but also those of universities and prisons. The findings of Moore and Tuchen revealed that there are considerable gaps in the way in which companies approach protecting their video conference systems. The largest gap was that they automated the process to allow access outside of their firewalls and also allowed connections to be established automatically without a proper vetting procedure being put in place. While it is true that these methods were implemented to make conferences far easier to connect to, the problem with this process is that it creates the potential for corporate secrets or private information to get out to the general public. This can cost a company millions of dollars due to the how many important decisions are made in conference rooms around the world.
Can You Detect if a Hacker is Watching?
If a person trespasses onto your property you can normally see them doing so and catch them in the act, the same cannot be said if someone were to hack your system. While some older video conferencing systems have a startup procedure that results in the device emitting a few sounds and the camera swiveling around, newer systems have been developed in such a way that such obvious elements of the system being in active use have been eliminated. Not only that, as evidenced by the work of Moore and Tuchen, accessing such systems without being detected is actually quite easy if the hacker in question does not commit any obvious attempts at being found out (i.e. making sounds through the microphone). If the system is lacking encryption, all they would need to do is stay quiet and merely observe the proceedings of a meeting and they are unlikely to be caught. This leads to a situation where a hacker could potentially listen in to all manner of private meetings that would decide the strategy for a company for the next few years. Should this information get out, it could cripple the future plans of the company, especially if the information deals with proprietary product development. Imagine a situation where you can listen in to an Apple conference meeting that will decide the company’s future lineup of products, the sheer value of that information alone shows why it would be tempting for hackers to attempt to breach your company’s video conferencing system.
Resolving the Issue
While Moore has informed companies like Polycom HDX systems of the issue with the company implementing the necessary fixes to prevent such a problem in the future, the sheer amount of video conference system providers currently in the market today has created the issue of whether or not the system currently being utilized by a company can be easily compromised by an outside attacker. One way of preventing such a problem is to look for companies that protected services such as encrypted video conferencing from Blue jeans. Other potential solutions come in the form of implementing stricter entry procedures for video conference meetings to ensure that only authorized individuals can access the system. A more direct method to resolving the issue would be to simply take the video conferencing system out of the equation altogether by making sure that it is unplugged when not in use. Hackers cannot access a device that is not turned on and connected to the internet.
Negligent practices when it comes to protecting what occurs within your company’s boardrooms can result in significant losses since any strategy that you develop behind what you deem as “closed doors” may find its way to your corporate rivals. As stated earlier on in this article “If it can be hacked it will be hacked”; however, just because it can be hacked does not mean you should make it easy to do so.