M33tfinder: Disclosing Corporate Secrets via Videoconferences

Back to the list of Speakers and Sessions
Remotely and without authentication list the active conferences on a videoconferencing server, obtain meeting information and perform a bruteforce attack to access the information discussed in there

Video conferencing systems are increasingly used to talk about critical issues in corporate environments, but there are very few attacks and tools dedicated to them. Cisco Meeting Server or CMS is a software used to make video conferences, which allows users to connect to meetings through different clients or via WebRTC with a browser.

During a series of tests conducted with this software, we detected that remotely and without authentication it is possible to list the active conferences on a CMS server and obtain a large amount of information for each conference such as the name of the conference, ID, video address, passcode protection and more. After our report, in November 2018 Cisco published a security advisory associated with this vulnerability with CVE-2018-15446. We also detect that remotely and without authentication, in some cases it is possible to perform a bruteforce attack of the passcode in the conferences that have one, to obtain this numeric code and access the corresponding videoconference.

Based on this research, we developed two open source tools in Python: m33tfinder and m33tbreak that allow to automate this attack, knowing only the URL of the CMS server.An attacker using our tools could identify the URL of the CMS of a certain company, obtain the valid conferences, identify the conferences that discuss critical issues such as budgets, directive committees, board meetings and join the meetings as a guest. That way the attacker could access the critical information discussed in them or record them, using only a web browser.

In our talk, we will see the overall security of videoconferencing systems, the story of how we discovered the vulnerability, how to identify the Cisco Meeting Servers exposed on the Internet, the technique used to obtain information about the conferences and perform the bruteforce attack, a demo of the tools to carry out an attack on a CMS and the countermeasures we can take to protect ourselves from these attacks in case of administering or using this or another videoconferencing system.