Securing your Videoconferencing Codec: Device Security
Videoconferencing appliances are not like most PCs and other devices on your network. They are security hardened devices that don’t get viruses, worms, or infected with common malware. They often run an uncommon operating system (VXworks, etc.) or an operating system that has been stripped of all but the basic functions. As such, a number of the common security concerns don’t apply or can be handled without much problem.
However, don’t think that you’re getting off that easily! Because their function is to provide two-way communications, videoconferencing systems have a number of unique concerns that must be addressed. Let’s look first at the physical security of our videoconferencing devices.
One of the problems with having a sophisticated high definition pan tilt camera mounted in a conference room or classroom, is some unscrupulous sort is going to think “I want to have that for myself ” and steal it. Little do they know that the connections on a Polycom Eagle Eye camera are proprietary and will not work without a Polycom codec, or that there is no easy way to control the PTZ function on a Lifesize camera when it is not connected to a Lifesize codec. Once they get the camera home and encounter these problems, they will quickly realize that it can’t be used for skyping or taking selfies, and promptly throw the purloined equipment in the trash.
So, it’s a good idea to physically secure any system, camera, or accessory. Depending on your configuration, you maybe able to put some of the equipment in a locked cabinet. Most cameras have a way to secure them either through a special mount and screw (like many projectors) or a so-call Kensington Lock connector that works with locking systems designed for computers. Taking these precautions is a must if your videoconferencing system is in a public location or on a mobile cart where access is not strictly controlled.
Based on my experience, it is also a good idea to secure the network cable used by your videoconferencing device, both at the codec and where it connects to the wall jack. Videoconferencing systems do not perform well over wireless networks, and are almost always hardwired. Sometimes a user, guest, or interloper who is not able to get on the wireless network will attempt to jack into any nearby wired network or ethernet cable, including the one your videoconferencing system is using. Your IT staff can secure the wired network (via Mac address, passwords, etc.) but that still doesn’t prevent people from trying. Many of my clients have called to complain that their videoconferencing system doesn’t work, and we find that the network connection had been disconnected by some previous user in an attempt to get on the Internet. Securing your physical wiring is a very important part of your organization’s network security.
Probably the biggest security risk for a videoconferencing system is not changing the system’s default passwords. Videoconferencing systems come with a variety of ways to change their settings including a web interface, command line utilities like SSH or Telnet, and the remote control for the device itself. Access to these interfaces is controlled via system password, which is set to a default at the factory (“1234,” “password,” “admin123,” etc.). Unfortunately, a lot of people do not change these passwords and most systems do not force users to change from the default password or to periodically update the password of the videoconferencing system, the way it would for a regular network user.
More problematic is the fact that these systems often have advanced or diagnostic pages that use a different default password that is not obvious or easy to change. For example, with the Lifesize 220 series of codecs, I can access the web interface for the unit by simply going to the IP address of that unit with a web browser and I will be prompted to login with the admin passcode. It is quite obvious where to change administrator password in both the on-screen settings as well as the settings when accessed via a web browser.
However, I can also access a special diagnostic page in the 220 by going to a URL that is formatted as follows: http://<ipaddress of codec>/support. Once there I am prompted for a different username and password. In this example, the username is “cli” and the password is “lifesize” by default. There is no way to change this default password from the web interface or on-screen interface. If I want to change this password, I have to use a command line (via serial, SSH or Telnet) and issue the command set password.
With this particular unit there is no way to turn off the diagnostic page without disabling the entire web interface. The diagnostic page doesn’t have a whole lot that could be considered sensitive, for example we can’t change the main page settings, change passwords, turn off auto answer, etc. However, you could really screw up a system. You could turn on VSAT mode (which would make the unit increase delay times to account for videoconferencing over satellite connection), delete the transit or SIP settings, or just reboot it (perhaps run a script on your computer to reboot it every 5 minutes?).
Devices having multiple default passwords is not only an issue with the particular system I used in this example. It is an issue with lots of systems and with a lot of infrastructure devices. You have to have someone dig into the manual in order to understand what passwords and accounts are in place by default. Manufacturers are starting to change this, and most of the latest releases of software that I’ve seen allow you to change all the passwords from the user or web interface.
Since I picked on Lifesize in the previous example, I’ll show you that they have improved with their latest release of the icon system software and now both the administrator and system level passwords can be changed from the same spot on the web interface.
If you don’t have a need for services such as SSH, Telnet, or even the web interface, it’s a good idea to turn those off. This can be done from the main settings interface (web or on-screen) of most modern video conferencing systems. You can always turn them back on when you need them.
Because videoconferencing systems have little web servers built into them, they can be vulnerable to some of the common server based attacks. Recent examples include shellshock, heartbleed, and poodle. System makers are fairly quick to update their system software to address these vulnerabilities. Make sure that someone in your organization is designated to collect information about updates (all makers have email lists that you can signup to get information about updated software), and to make those updates.
Note: Almost all makers will only allow you to download the latest versions of their software if your system is under a service contract. If your contract expires, there can be a “recertification fee” that is assessed, so it is a good idea to keep track of the service contracts for all your videoconferencing devices.
Originally published at letsdovideo.com on December 22, 2015.