When I did independent IT consulting, I had a client with a home in Florida and an office in Pennsylvania. He purchased a <i>very</i> nice high-def Polycom unit for both locations so he could work from his office in Florida. It was a nice setup that would make any remote worker jealous, with all the pan/tilt/zoom you could dream of and quality that was out of this world.<p>My first visit was to solve a problem with the conferencing system. He could see his office, but couldn't hear them. The problem ended up being an input issue on his TV, not the Polycom itself, but in the process, I discovered something horrifying. Both his unit and the one in PA were configured to auto-accept incoming IP calls. He regularly kept the television turned off at his home office, so if someone connected to his Polycom, the only evidence would be the lights.<p>A quick inspection of the network revealed that there was no firewall. His PC connected to a VPN, but the Polycom was open on the internet. When I asked him how he was protected from a random person connecting to his Polycom, he said "No one else knows the IP address." As if it were some kind of password. I accidentally laughed out loud in one of those awkward moments where you immediately realize that laughing was the inappropriate response. I explained that attackers constantly scan IP ranges just looking for devices to exploit.<p>He, of course, had me disable the auto-answer feature immediately, but wouldn't go the extra step of setting up a firewall between his office and PA. I was flatly appalled that a Polycom integrator would install a unit on an internet facing IP with auto-answer turned on.
HD Moore posted on the Rapid7 blog some of the technical details: <a href="https://community.rapid7.com/community/solutions/metasploit/blog/2012/01/23/video-conferencing-and-self-selecting-targets" rel="nofollow">https://community.rapid7.com/community/solutions/metasploit/...</a>