Boston-based Rapid7 looks for security flaws in computer systems and recently found a gaping security hole in videoconferencing equipment, according to a report by the New York Times.
HD Moore, the company’s chief security officer, explained that he was able to get access to conference rooms in venture capital and law firms, pharmaceutical and oil companies, as well as court rooms, by hacking into their videoconferencing system.
Moore discovered that hundreds of thousands of businesses were investing in IP-based videoconferencing equipment, but were setting the equipment up outside the corporate firewall.
New videoconference systems often have a feature that automatically accepts inbound calls so users do not have to press an “accept” button every time someone dials into their videoconference. The effect is that anyone can dial in and look around a room.
Moore wrote a computer program that scanned the internet for videoconference systems that were outside the firewall and configured to automatically answer calls. He discovered 5,000 wide-open conference rooms at law firms, pharmaceutical companies, oil refineries, universities, and medical centers.