Posted by: Tony Bradley
DEFCON, eavesdrop, ip video, man-in-the-middle, redirect, Sipera Systems, VIPER Lab
IP video conference calls can be easily hijacked or eavesdropped using simple tools that are available for free. Of the organizations that use IP video for surveillance or conferencing, only about 5% employ any sort of encryption or security measures to protect it.
Its a common trick in action movies for the bad guys to cut the wires to the video surveillance cameras and insert their own looped video clip of business as usual so that security guards monitoring the area can’t tell a breach is occurring. The Hollywood bad guys always make it look so easy, and now it is. Using simple techniques attackers could insert video into an IP video surveillance stream or listen/watch an IP video conference undetected.
Sipera Systems VIPER (Voice Over IP Exploit Research) Lab team demonstrated an attack on IP video conferencing at the recent DEFCON security conference. Jason Ostrom, director of VIPER Lab, said “These attacks are based on ARP poisoning/man-in-the middle. You can do this with email and VoIP — we’re just doing a new twist on an old attack to show people that these vulnerabilities are out there for IP video.”
IP video and other aspects of unified communications can be game changing tools to streamline business processes and improve efficiency. However, they also have to be protected and secured or they can easily become game changing weaknesses that allow attackers access to sensitive information and network resources. Make sure you take advantage of the inherent security of the products you are using by enabling encryption and other security controls, and also take a look at third-party products like Sipera’s UC-Sec applicances.