Security vulnerabilities in some videoconferencing products could allow hacker to acquire remote control of the equipment and to use it as a snooping tool.
The remote OS command injection vulnerabilities affect four enterprise collaboration products of Lifesize - Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker and were revealed by researchers from Trustwave.
Vulnerability requires intruders to gain access to the Lifesize firmware, which also requires them to know the serial number of the device.
According to the researchers, if this is achieved, then it is a "toy" to gain control of the device with some software tools and information from the Lifesize support page, which may provide them with illegal access to the device. The devices are also linked to a default support account, accompanied by a default password - which many users will not have changed, providing important help to attackers.
The initial vulnerability is due to what researchers describe as a programming error, which allows users to enter without restrictions from protective functions. By combining this with a privilege escalation error, it is possible to execute system commands, giving the attackers a push to enter the network that is the Lifesize product.
The combination of privilege escalation and command injection privileges can lead to full control of the device.
“With it you have access to everything. Any video or audio stored on this machine can be easily acquired, ”said Ed Williams, director of Trustwave's Spiderlabs research division.
“This machine can be used as a starting point to attack other machines. If one can access audio equipment over the Internet, one can access the underlying operating system through this vulnerability. "
The nature of the attack is such that it would be difficult to tell if a device has been tampered with.
Lifesize told ZDNet to issue a patch for the affected products.
“We proactively address the vulnerability and automatically protect all Icon 220 Series systems that are connected to the Lifesize Cloud. For devices not connected to the cloud, customers will need to utilize the hotfix. We will work with each client to resolve the issue as quickly as possible, ”said Bobby Beckmann, Head of Technology at Lifesize.
To protect against attacks, Trustwave has prompted users to change their device's default passwords. Users are also advised to know which devices are on their network and whether these devices are upgraded.
HTrustwave has published a complete technical analysis of vulnerability in blog of the company.