Video Hijacking Underlines the Need for Architectural Security

August 12, 2009 - 0 Comments

At this year’s DEFCON 17 security conference, which ended August 2, several presentations focused on physical security. Jason Ostrom and Arjun Sambamoorthy of Sipera Systems presented on several tools for intercepting, capturing, and spoofing video feeds over the network. Armed with these tools, attackers could eavesdrop on live video conferences, video phone conversations, or IP security cameras. In addition, they demonstrated the ability to capture video feeds and replay video of their choosing. This would allow someone to inject messages into video conferences or to trick security personnel by replaying video, instead of showing live video of a monitored area.Ostrom and Sambamoorthy’s methods rely on architectural weaknesses in enterprise design to intercept video streams with their tool, UCSniff. By using VLAN hopping to traverse virtual network boundaries, users of the tool could find areas of the network that are meant to be isolated for VoIP and video. Or, by taking advantage of gratuitous ARP on VoIP phones, attackers could use the tool to make their PC a legitimate endpoint for video traffic, in place of a legitimate video phone. The researchers note that encrypting communication streams would also prevent this hijacking or spoofing, but in their experience few sites implement it.While the tools presented offer an impressive example of how video communications can be compromised, the underlying problems are certainly not new. What may be changing, however, is the quantity and value of information on the network, and the ease with which malicious actors might cause losses because of that increase. Video conferencing will likely increase as businesses continue to leverage new technologies to collaborate, drive innovation, and get more value out of time spent in meetings. As these technologies take a more prominent place in business, it will be necessary to ensure that the security of these communications are handled according to business risk tolerance.In the Information Security Management Maturity Model (ISM3 v2.10), there is an apt illustration for this point:


ISM3 mentions Mayfield’s Paradox, essentially that the cost for information systems dramatically increases as fewer people are supposed to access it. When considering communications, most businesses are going to find themselves in the middle of Mayfield’s curve (Levels 2 or 3 above), where some moderate cost is going to be necessary to provide some moderate security and moderate risk reduction. This will be especially true for businesses where although information that is shared in video conferencing is sensitive, it is much more important to easily collaborate than to meticulously guard communications.In some cases, robust architectural designs will be of prime importance, and Layer 2 controls against VLAN hopping and ARP spoofing will provide wide-ranging protection against a variety of attacks. For other organizations, communication encryption will make sense. For others still, both of these protections and more will be necessary to guard very sensitive material. But organizations should remember that what Ostrum and Sambamoorthy have done is demonstrate that what used to be dangerous for network communication remains dangerous. It is only the type and quantity of data on the network that has shifted.For further reading, Cisco has provided guidance for VLAN configurations to defeat these kinds of attacks, as well as documentation on phone hardening and phone security.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.