Security vulnerabilities in some connected video conferencing products could allow hackers to remotely gain control of equipment and use it as a snooping tool.
The remote OS command injection vulnerabilities affect four Lifesize enterprise collaboration products - Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker and have been uncovered by researchers at security firm Trustwave.
Exploiting the vulnerability requires attackers to gain access to the firmware of Lifesize products, which also requires them to know the serial number of the device.
But if this can be obtained, researchers say it's "trivial" to gain control of the device with some software tools and information from the Lifesize support page, which can help provide a backdoor into the device. The devices are also linked to a default support account which come with a default password – something which many users won't have changed, providing attackers with a crucial piece of the puzzle of the compromise.
The initial vulnerability stems from what researchers describe as a programming error which allows user input to occur without being restrained by sanitisation involving shell functions. By combining this with a privilege escalation bug, it's possible to run system commands, providing attackers with a foothold into the network the Lifesize product is on.
Combine this privilege escalation with a command injection vulnerability and it's possible to gain full persistence on the device.
"With this you have access to everything. Any video or audio stored on that machine will be gettable fairly trivially," Ed Williams, director of Trustwave's Spiderlabs research department told ZDNet.
"That machine can be used as a launchpad to attack other machines. Say this audio equipment is internet-facing, you can get access to the underlying operating system through this vulnerability. From an external attack, you can potentially gain internal access – it's a worse case scenario, but potentially very serious."
The nature of the attack means it'd be difficult to tell if a device has been compromised, meaning that there's potential this vulnerability has already been exploited in the wild.
"It'd be difficult to tell if a device had been accessed, because these type of devices don't have very good logging. As a result it's difficult to see what's going on, so it'd be difficult to find out if this is the root cause of an attack. Attackers are likely to be looking for and using this," said Williams.
Lifesize told ZDNet it will be issuing a patch for the affected products.
"We are pro-actively addressing the vulnerability and automatically patching all Icon 220 Series systems that are connected to the Lifesize Cloud. For non-cloud connected devices, customers will need to deploy the hotfix and we will work with each impacted customer to resolve the issue as quickly as possible," said Bobby Beckmann, chief technology officer at Lifesize.
To help protect against attacks exploiting the vulnerability, Trustwave has urged users to change the default passwords of devices. It's also recommended that users are aware of what devices are on their network and whether they're up to date
"Learn what you've got running and if it's internet exploitable or internet facing. If it is, update the firmware or take it off the internet. Make sure the devices are on a segregated network, so if someone is able to get onto it, that's as far as they can get," said Williams.
Trustwave has posted a full technical analysis of the vulnerability on the company blog.
READ MORE ON CYBER SECURITY