Corporate Boardrooms Open To Eavesdropping

cweditor writes "One afternoon this month, a hacker toured a dozen corporate conference rooms via equipment that most every company has in those rooms: videoconferencing. Rapid7 says they could 'easily read a six-digit password from a sticky note over 20 feet away from the camera' and 'clearly hear conversations down the hallway from the video conferencing system.' With some systems, they could even capture keystrokes being typed in the room. Teleconferencing vendors defended their security, saying the auto-answer feature that left those system vulnerable was an effort to strike the right balance between security and usability."

You're going to be disappointed...and bored

[elrous0]

This may be good for some corporate espionage. But if any hacker is doing this thinking he's going to expose the dark corporate underbelly, he's going to be disappointed.

If my experience is any indication, the evil stuff doesn't go on in rooms like that. Contrary to the movies, you have very few open meetings where a bunch of guys sit around and openly plot evil deeds. Most of that stuff is done in much smaller settings, and even then they use euphemisms and obfuscation. It's not like someone says openly "Hey, can we we bribe some local politicians so we can get away with dumping our factory wastewater into their rivers?" Instead they say something like "How can we cut costs at this factory?" to which someone else responds "Well, if we could get rid of the burdensome environmental regulations down there, then it would help with profitability" to which someone else responds "I'll call our people there and have them talk with some of our political allies."

I imagine some "hacktivists" will hack these systems expecting to get a smoking gun. But after hours of watching, all they'll get are a lot of boring meetings filled with financial figures, shitty powerpoint presentations, and corporate-speak platitudes. It'll be a lot less "Here's our secret plan" and a lot more "Here are the fourth quarter earnings breakdowns" and "Let's talk about how we build synergy in Asian markets..."

Insider trading

[stevegee58]

If I were looking to do insider trading I wouldn't be bored at all.

I remember when . . .

[DickBreath]

I remember when Microsoft automatically executing email attachments was intended to strike the right balance between security and usability. That was a long time ago, in a galaxy far, far away. But still. Everyone saw the security disaster coming. The "I Love You" email was one of the first to get widespread attention enough to be Microsoft's wake up call on taking security seriously. Gone were the days when you could send dot-dot-slash in a URL to work your way up the inetpub wwwroot directories and then to windows / tftp.exe to pull down malware from evil.com on a fully patched NT 4.0 IIS.

this is hilarious

[poetmatt]

Saying that you're not going to find anything is a hilarious misdirect of the fact that the vulnerability has existed for a long time and still does.

Saying "oh they won't find anything" is still not an answer to "but we left the door wide open".

Re:You're going to be disappointed...and bored

[jellomizer]

Your version is still too dramatic.

It usually goes like this... I go golfing with the senator once a week.
During golfing...
Senator: Hows business?
Business man: It has been better, I think we need to lay off 100 people, we cannot keep ahead of the competition from other States/Country and the key cost is that law that needs us to clean up our water pollution count, we need to change our whole business, and we need to cut people.
Senator: 100 Lay offs during (Thinking that it is an election year), that doesn't sound good, Ill see what I can do.

Then the senator debates to put particular extensions to keep exclude the business from the rules.

Later during the election you will see a Million dollar donation to a Super Pac.

Very rarely people are trying to do evil, they are more often just negligent in doing their work, or too focused on short term issues that they ignore all the long term consequences.

Re:Does this actually work in real life?

[Spectre]

My experiance with those VTC devices is that when they're off, they make efforts to show that they are indeed off, and conversely when someone connects they do stuff like swivel the camera around, turn on lights, etc... It may be possible to do that without someone noticing, but it seems more likely that you're going to get a whole lot of attention from some high power folks.

Since the company I work at does consulting for C-suite people at a lot of different organizations, I'm pretty sure I have observed enough people to cross the line from anecdotal experience to enough data to form a hypothesis (somebody should test it).

The "higher ups" don't understand technology, even as simple as videoconferencing equipment with a remote that is simpler than a typical cable-TV remote.

When they want to use a video conference, they get somebody from "IT" to come in, click the three buttons that make it hook up, then do their conference, and leave the room, still leaving the conference running because they don't know what the "hang-up" button does.

It isn't that they are idiots, it is just that they don't care, they have "people who handle that stuff" so they don't have to.

So, if the camera comes on, swivels around, auto-focuses, red lights come on, they ignore it, because they don't perceive it as "something I need to concern myself with".

Re:Why video conference?

[Attila Dimedici]

I am not a scientist but my experience is similar. Our department has periodic video conferences that were started by our current boss. When he was asked by someone why we were doing video conferences (which required reserving a video conference room in another building from our work area) rather than just an ordinary teleconference (which could be done from our desks, although we usually gather in the conference room adjacent to our office area) his response was, "Well we have the technology, so we might as well use it." Which did not answer the question, which was, "What value does the video add to this meeting?" Personally, I find the video conferences even less useful than the ordinary teleconferences because at least with the teleconferences we can mute the phone and discuss how topics apply to us without having to listen to input from people at other locations input stuff that has nothing to do with our location and still listen to those topics where the experiences of those at other locations are relevant to us (which is rare).