Thousands of companies may be harbouring spies in their meeting rooms that listen to private conversations, warned a security expert at the RSA conference, which has just ended in San Francisco.
Michael Sutton, vice president of research at security firm Zscaler, presented evidence demonstrating that thousands of embedded web servers in devices such as video-conferencing systems remain unprotected. These can be remotely hacked with little effort, despite repeated warnings from security analysts.
Sutton used automated scanning tools to poll more than a million web servers and found more than 9,000 unprotected video conferencing systems from Polycom and Tandberg, the latter of which was recently acquired by Cisco.
Access to video-conferencing products allows hackers to listen to meetings even when the system is not being used by the participants.
Departmental printers with embedded web servers can also be hacked from the internet to yield vital information in stored documents.
Sutton's scans uncovered more than 3,000 Canon multifunction printing devices, 1,200 Xerox copiers and up to 20,000 other printer/copier machines, all of which were unprotected.
He also found unprotected phone systems – the packet data from these could be converted into audio files.
Security researchers have previously warned companies about the vulnerability of embedded systems. But Sutton said these warnings are ignored and thousands of devices remain open to attack.
Zscaler's in-the-cloud security systems focus on protecting end users. They analyse end-user behaviour for anomalies, which marks a shift from the approach taken by conventional firewalls.