Conference Calls in Noida - Thu, Mar 21, 2019
Today I read about insecure video conferencing systems made by Polycom, and Googled up a Shodan query to find them. The query was “polycom command shell”.
Polycom Conference Calling System on 18.104.22.168
The results were all video conferencing devices that had open telnet ports, but I ultimately chose one in India that was runnign a webserver as well, so that I could have something more interesting to take pictures of.
Checking the telnet port first:
👻🌵🔮 $ nc 22.214.171.124 23 -v found 0 associations found 1 connections: 1: flags=82<CONNECTED,PREFERRED> outif ipsec0 src 10.6.6.4 port 65263 dst 126.96.36.199 port 23 rank info not available TCP aux info available Connection to 188.8.131.52 port 23 [tcp/telnet] succeeded! ! Polycom Command Shell XCOM host: localhost port: 4121 TTY name: /dev/pts/0 Session type: telnet 2019-03-21 20:32:58 DEBUG avc: pc: XCOM:INFO:server_thread_handler: new conn [conn: 0x4c900468] [sock: 6] [thread: 0x11f71dc8] [TID: 3344] 2019-03-21 20:32:58 DEBUG avc: pc: uimsg: [R: telnet /tmp/apiasynclisteners/psh0 /dev/pts/0] 2019-03-21 20:32:58 DEBUG avc: pc: appcom: register_api_session pSession=0x13332088 2019-03-21 20:32:58 DEBUG avc: pc: appcom: about to call sendJavaMessageEx 2019-03-21 20:32:58 DEBUG jvm: pc: UI: xcom-api: ClientManager: createSession(type: telnet sess: 21617) 2019-03-21 20:32:58 DEBUG jvm: pc: UI: xcom-api: ClientManager: createSession current open sessions count= 2 2019-03-21 20:32:58 DEBUG avc: pc: appcom: session 21617 registered
I didn’t want to spend a bunch of time figuring out how to look around here so I exited the connection and went to the webserver.
I found pretty quickly that I could make any calls I wanted, see the entire call history, and even, maybe most troublingly, monitor any call in progress. A lot of the calls seemed to be within-network, which made me think that this could be an office’s conference room phone for conference calling, as in my time in offices we’d frequently call a coworker mid-meeting to ask them some questions. I don’t understand not putting any password or authentication on this kind of system. I took a look at the security settings and it seems like they had chosen to set the security to “minimal”. Why? I can’t image that it was the default.
The last phone number called was an Airtel India phone number, and I was tempted to call it so I could figure out whose phone I was looking at, but it seemed unwise and also too difficult. I hate phone calls. See you tomorrow.