Security vulnerabilities in some videoconferencing products could allow hacker to acquire remote control of the equipment and to use it as a snooping tool.
The remote OS command injection vulnerabilities affect four enterprise collaboration products of Lifesize - Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker and were revealed by researchers at Trustwave.
Vulnerability requires intruders to gain access to the Lifesize firmware, which also requires them to know the serial number of the device.
According to the researchers, if this is achieved, then it is "playful" to gain control of the device with some software tools and information from the Lifesize support page, which can give them unlawful access to the device. Devices also connect to a default support account, which is accompanied by a default password - which many users will not have changed, providing the attackers with significant help.
The initial vulnerability is due to what researchers describe as a programming error, which allows users to enter without restrictions from protective functions. By combining this with a privilege escalation error, it is possible to execute system commands, giving the attackers a push to enter the network that is the Lifesize product.
The combination of privilege escalation and command injection privileges can lead to full control of the device.
"With this you have access to everything. Any video or sound stored on this machine can be acquired very easily, "Ed Williams, director of Trustwave's Spiderlabs Research Division, told ZDNet.
"This machine can be used as a starting point to attack other machines. If someone can gain access to audio equipment over the Internet, they can access the underlying operating system through this vulnerability. "
The nature of the attack is such that it would be difficult to tell if a device has been tampered with.
Lifesize told ZDNet to issue a patch for the affected products.
"We are preemptively dealing with vulnerability and automatically protect all Icon 220 series systems that are linked to Lifesize Cloud. For non-cloud devices, customers will need to take advantage of the hotfix. We will work with each customer to resolve the issue as quickly as possible, "said Bobby Beckmann, chief technology officer at Lifesize.
To protect against attacks, Trustwave has prompted users to change their device's default passwords. Users are also advised to know which devices are on their network and whether these devices are upgraded.
HTrustwave has published a complete technical analysis of vulnerability in blog of the company.