X

Researchers offer tools for eavesdropping and video hijacking

UCSniff can be used to spy on video conference calls while VideoJak allows for hijacking of video streams.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
See full bio
Elinor Mills
2 min read

LAS VEGAS--Showing off technology that James Bond would love, two researchers at Defcon on Friday demonstrated tools that allow people to eavesdrop on video conference calls and intercept surveillance camera video.

An attacker needs to be in the same building as the victims to carry out the man-in-the-middle attacks over the network.

The free UCSniff tool, available in Linux and Windows versions, offers a slick graphical user interface for sniffing video, said Jason Ostrom, director of the Viper Lab at Sipera Systems. The tool basically tricks the voice-over-IP network carrying the video into sending the data packets to the attacker's computer, he said.

This could be used to spy on people. For instance, an attacker could listen in on and record confidential conversations between an executive who is on a video conference call with another remote executive, according to Ostrom.

Ostrom and Arjun Sambamoorthy, a research engineer at Viper Lab, also have developed another free tool called VideoJak that can be used to intercept video streams.

Thieves planning to steal from a museum, for example, could use the tool to change live surveillance video being watched by a museum security guard so that it replayed previous video of the art, giving thieves time to steal art without detection.

Attackers can replay video from the same stream or inject other video, like pornography, the researchers said.

Companies can use encryption on the network server to protect against these attacks, but encryption is not enabled by default, Ostrom said.

"These assessment tools can show you the impact of the vulnerability to your network," he said.

John Draper, aka "Capt. Crunch," said he is interested in using the UCSniff tool to test the systems at start-up En2Go where he is chief technology officer. En2Go is signing up with companies to deliver high-definition media, including movies and corporate videos, to desktops.

"I want to ensure customers and clients that someone can't steal movies off Flyxo," En2Go's system, he said.

Intercepting streaming video isn't new, but UCSniff "makes it easier; it makes it plug and play," Draper said.