Thursday, March 4, 2021
  • Setup menu at Appearance » Menus and assign menu to Top Bar Navigation
Advertisement
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News
No Result
View All Result
NikolaNews
No Result
View All Result
Home Internet Security

Security vulnerabilities in video conferencing devices could be remotely exploited by hackers

February 7, 2019
in Internet Security
Security vulnerabilities in video conferencing devices could be remotely exploited by hackers
586
SHARES
3.3k
VIEWS
Share on FacebookShare on Twitter

Security vulnerabilities in some connected video conferencing products could allow hackers to remotely gain control of equipment and use it as a snooping tool.

The remote OS command injection vulnerabilities affect four Lifesize enterprise collaboration products – Lifesize Team, Lifesize Room, Lifesize Passport and Lifesize Networker and have been uncovered by researchers at security firm Trustwave.

You might also like

Ursnif Trojan has targeted over 100 Italian banks

Microsoft account hijack vulnerability earns bug bounty hunter $50,000

Malaysia Airlines suffers data security ‘incident’ spanning nine years

Exploiting the vulnerability requires attackers to gain access to the firmware of Lifesize products, which also requires them to know the serial number of the device.

But if this can be obtained, researchers say it’s “trivial” to gain control of the device with some software tools and information from the Lifesize support page, which can help provide a backdoor into the device. The devices are also linked to a default support account which come with a default password – something which many users won’t have changed, providing attackers with a crucial piece of the puzzle of the compromise.

The initial vulnerability stems from what researchers describe as a programming error which allows user input to occur without being restrained by sanitisation involving shell functions. By combining this with a privilege escalation bug, it’s possible to run system commands, providing attackers with a foothold into the network the Lifesize product is on.

Combine this privilege escalation with a command injection vulnerability and it’s possible to gain full persistence on the device.

“With this you have access to everything. Any video or audio stored on that machine will be gettable fairly trivially,” Ed Williams, director of Trustwave’s Spiderlabs research department told ZDNet.

“That machine can be used as a launchpad to attack other machines. Say this audio equipment is internet-facing, you can get access to the underlying operating system through this vulnerability. From an external attack, you can potentially gain internal access – it’s a worse case scenario, but potentially very serious.”

The nature of the attack means it’d be difficult to tell if a device has been compromised, meaning that there’s potential this vulnerability has already been exploited in the wild.

“It’d be difficult to tell if a device had been accessed, because these type of devices don’t have very good logging. As a result it’s difficult to see what’s going on, so it’d be difficult to find out if this is the root cause of an attack. Attackers are likely to be looking for and using this,” said Williams.

Lifesize told ZDNet it will be issuing a patch for the affected products.

“We are pro-actively addressing the vulnerability and automatically patching all Icon 220 Series systems that are connected to the Lifesize Cloud. For non-cloud connected devices, customers will need to deploy the hotfix and we will work with each impacted customer to resolve the issue as quickly as possible,” said Bobby Beckmann, chief technology officer at Lifesize.

To help protect against attacks exploiting the vulnerability, Tenable has urged users to change the default passwords of devices. It’s also recommended that users are aware of what devices are on their network and whether they’re up to date

“Learn what you’ve got running and if it’s internet exploitable or internet facing. If it is, update the firmware or take it off the internet. Make sure the devices are on a segregated network, so if someone is able to get onto it, that’s as far as they can get,” said Williams.

Trustwave has posted a full technical analysis of the vulnerability on the company blog.

READ MORE ON CYBER SECURITY

Credit: Source link

Previous Post

Nasdaq-Listed New Relic Acquires Machine Learning Startup SignifAI

Next Post

New survey: Consumers are texting to businesses that aren’t set up to respond

Related Posts

Ursnif Trojan has targeted over 100 Italian banks
Internet Security

Ursnif Trojan has targeted over 100 Italian banks

March 4, 2021
Microsoft account hijack vulnerability earns bug bounty hunter $50,000
Internet Security

Microsoft account hijack vulnerability earns bug bounty hunter $50,000

March 3, 2021
Malaysia Airlines suffers data security ‘incident’ spanning nine years
Internet Security

Malaysia Airlines suffers data security ‘incident’ spanning nine years

March 3, 2021
Remote work: 5 things every business needs to know
Internet Security

Remote work: 5 things every business needs to know

March 3, 2021
New app rollout helps reduce paperwork for NSW frontline child protection caseworkers
Internet Security

New app rollout helps reduce paperwork for NSW frontline child protection caseworkers

March 3, 2021
Next Post
New survey: Consumers are texting to businesses that aren’t set up to respond

New survey: Consumers are texting to businesses that aren’t set up to respond

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

Plasticity in Deep Learning: Dynamic Adaptations for AI Self-Driving Cars

January 6, 2019
Microsoft, Google Use Artificial Intelligence to Fight Hackers

Microsoft, Google Use Artificial Intelligence to Fight Hackers

January 6, 2019

Categories

  • Artificial Intelligence
  • Big Data
  • Blockchain
  • Crypto News
  • Data Science
  • Digital Marketing
  • Internet Privacy
  • Internet Security
  • Learn to Code
  • Machine Learning
  • Marketing Technology
  • Neural Networks
  • Technology Companies

Don't miss it

13 challenges creating an open, scalable, and secure serverless platform – IBM Developer
Technology Companies

13 challenges creating an open, scalable, and secure serverless platform – IBM Developer

March 4, 2021
Ursnif Trojan has targeted over 100 Italian banks
Internet Security

Ursnif Trojan has targeted over 100 Italian banks

March 4, 2021
Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection
Internet Privacy

Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection

March 4, 2021
Streamlining data science with open source: Data version control and continuous machine learning
Big Data

Streamlining data science with open source: Data version control and continuous machine learning

March 4, 2021
Companion Raises $8M Seed Round to Use Machine Learning and Computer Vision to Talk to Dogs
Machine Learning

Companion Raises $8M Seed Round to Use Machine Learning and Computer Vision to Talk to Dogs

March 3, 2021
The TensorFlow Certification: get official recognition, but it’s hard! | by Keenan Moukarzel | Feb, 2021
Neural Networks

The TensorFlow Certification: get official recognition, but it’s hard! | by Keenan Moukarzel | Feb, 2021

March 3, 2021
NikolaNews

NikolaNews.com is an online News Portal which aims to share news about blockchain, AI, Big Data, and Data Privacy and more!

What’s New Here?

  • 13 challenges creating an open, scalable, and secure serverless platform – IBM Developer March 4, 2021
  • Ursnif Trojan has targeted over 100 Italian banks March 4, 2021
  • Hackers Now Hiding ObliqueRAT Payload in Images to Evade Detection March 4, 2021
  • Streamlining data science with open source: Data version control and continuous machine learning March 4, 2021

Subscribe to get more!

© 2019 NikolaNews.com - Global Tech Updates

No Result
View All Result
  • AI Development
    • Artificial Intelligence
    • Machine Learning
    • Neural Networks
    • Learn to Code
  • Data
    • Blockchain
    • Big Data
    • Data Science
  • IT Security
    • Internet Privacy
    • Internet Security
  • Marketing
    • Digital Marketing
    • Marketing Technology
  • Technology Companies
  • Crypto News

© 2019 NikolaNews.com - Global Tech Updates