S21sec presented a tool capable of identifying rooms exposed to videoconferencing applications, noting that it detected more than 100 sessions on the open source Jitsi platform, namely its free service Meet.jit.si. The growing demand for video conferencing application solutions has increased users' exposure to cybersecurity-related hazards, as a matter of fact, the FBI has already warned about Zoom.
The security expert points out that the video conference rooms held at Cloud providers video as a Service, when configured incorrectly, allow any external person to have access to them. The company says that in the case of Jitsi, it has advanced security options, but that they must be configured correctly so as not to be exposed.
A tool was developed capable of identifying the Meet.jit.si exposed rooms and searching for the names of the companies with the highest expression in Spain, usual telework terms, names of Spanish cities and others. The company managed to record more than 100 videoconferences on display, to illustrate its call for attention, in sectors such as technology, education and health, as well as recreational and personal activities, transferred to virtual conferences.
The company says that malicious hackers can configure their tool with specific terms aimed at a company or sector, receiving alerts when a meeting starts, or save the video file for later analysis. The security expert says that it is very easy to accidentally display internal information, such as addresses, tokens, usernames and other settings that can then be exploited by a hacker.
Most seriously, S21sec reports that it has detected the use of Jitsi by entities and critical sectors, such as governments in different countries, exposed under the domain names of government entities. The company says that although a strange member who enters the virtual meeting can be perceived, there are very busy meetings and an intruder would not be a cause for alarm. And even if detected, they assume that a colleague has configuration problems. This is especially true if the standard name of Jitsi does not change, which by default is called Fellow Jitster, which is common in meetings when the name is not changed or the camera is switched on.