Hacker finds flaw in teleconference tool used by US Army, NASA and CERN
Like we need another reason to hate videoconferences
Sydney security tester Jamieson O'Reilly has reported a since-patched vulnerability in video platform Vidyo – used by the likes of the US Army, NASA and CERN – that could see videos leaked and systems compromised.
O'Reilly, director of intelligence for consultancy Content Protection, says he picked up the bug during a client test and reported it to the New Jersey video company which has since issued a patch.
Google searches for particular strings can reveal vulnerable devices connected to the internet.
The company says some 3,000 Fortune 100 SMB customers and 39 of the top 100 healthcare networks in the US use the hardware, together clocking more than 50 million minutes in talk time.
"I ended up finding an arbitrary file disclosure vulnerability," O'Reilly told The Register. "It's more than just [leaked] videos, also Linux filesystem files (/etc/passwd) and other configuration files.
"I've never heard of this software before and thought that the risk exposure was quite low until I looked at the clients. There are a lot of publicly accessible Vidyo endpoints that are probably vulnerable that you can identify using Google."
O'Reilly says version 18.104.22.168 of Vidyo's firmware for its gear has been released to close the hole. ®