Hacking Video Conferencing Systems

Explore the world of hacking video conferencing systems in this Black Hat EU 2013 conference talk. Delve into a comprehensive case study on Polycom HDX devices, uncovering vulnerabilities in high-end videoconferencing systems commonly deployed in critical corporate locations. Learn how to analyze software update file formats, gain system-level access to closed devices, and set up a vulnerability development environment. Witness a demonstration of remotely compromising Polycom HDX devices over the network by exploiting vulnerabilities in the H.323 stack. Discover post-exploitation techniques, including methods to control attached peripherals like video cameras and microphones, potentially leading to the creation of a surveillance rootkit. Gain insights into the device architecture, filesystem, configuration files, and main processes of these systems. Explore the intricacies of the H.323 protocol, call initiation, and call detail records. Understand the challenges of SQL injection exploits and format string bugs. Finally, learn about the Polycom disclosure process and the implications of these security findings for the videoconferencing industry.

Intro
Agenda
Background
Revenue Market Share
Polycom HDX Systems
Attack Surface
Firmware Analysis
PUP File Structure
PUP Header
Header HMAC
Public Key DSA Signature
HDX Boot Modes
Enabling Development Mode
Polycom Command Shell
Device Rooting - Method #2
Problems with previous Methods
Device Rooting - Method #3
System Architecture
Filesystem
Configuration Files
Main Processes
AppMain Java Process
Polycom AVC
Remote Debugging
Watchdog Daemon
Ready for Bug Hunting...
H.323 Protocol
H.323 Signaling Protocols
Call Initiation
Call Detail Records
Vulnerabilities
SQL Injection Exploit Challenges
Vulnerability #2
Exploiting the Format String Bug
Post Exploitation
Polycom XCOM IPC
Polycom Disclosure Process