alphaspirit - Fotolia

Trustwave finds security flaw in old Lifesize video products

Trustwave publicly identified a flaw in several legacy Lifesize video products this week, after the vendor initially indicated it had no immediate plans for a patch.

Lifesize is encouraging customers using some of its old video conferencing products to contact the Lifesize support team to receive a hotfix for a security flaw that could give hackers access to their networks. Trustwave, a cybersecurity firm, discovered the flaw this past fall and made it public this week.

Lifesize said it would automatically patch all affected devices connected to the Lifesize Cloud and that it was in the process of notifying those cloud subscribers of the issue. Customers without cloud subscriptions need to contact the vendor to receive the code necessary to fix the problem.

One aspect of the vulnerability would let a hacker use affected Lifesize video devices to conduct reconnaissance on other network devices and configurations, Trustwave said. The infected hardware could also potentially be used to launch cyberattacks or eavesdrop on private information within a company's network.

The vulnerability affects the following Lifesize video products:

  • Lifesize Teams and Lifesize Rooms, part of the 200 and 220 series video conferencing systems;
  • Lifesize Networker, a gateway between IPs and ISDNs; and
  • Lifesize Passport, a USB camera system.

Lifesize no longer sells any of the affected products, although some appear to remain available for purchase from resellers. The 200 Series and Lifesize Passport are so old that Lifesize has stopped providing customer support for them. Similarly, Lifesize Networker is scheduled to reach "end of life" on March 31.

A statement released by Lifesize suggested the 220 Series was the only product for which a hotfix would be available to non-cloud customers.

Trustwave said it first attempted to contact Lifesize in November but received no response. After following up in January through a different channel and with more details, the firm received an email from a Lifesize engineer, who acknowledged the vendor was aware of some vulnerabilities in the products but had no immediate plans to patch them.

Trustwave's difficulty getting an adequate response from Lifesize demonstrates that some smaller software vendors still need better protocols for handling vulnerability reports from outsiders, said Anton Chuvakin, security analyst at Gartner. Big tech firms like Microsoft and Oracle learned that lesson many years ago, he said.

"I have seen vendors who would get a report [about a] vulnerability and say we are not going to fix it," Chuvakin said. "In this case, the public disclosure I think motivated them to fix it."

Trustwave plans to release code on Feb. 21 that will give organizations the ability to investigate whether their Lifesize video devices remain vulnerable. The delay would provide time for customers to apply the hotfix, Trustwave said.

Neither Lifesize nor Trustwave know of any instances of a hacker taking advantage of the vulnerability to date; Lifesize said it was actively investigating the possibility.

"We regret the inconvenience to our customers and are committed to improving our internal processes by which we escalate reported vulnerabilities so that we can address known issues faster," Lifesize said in a statement.

Dig Deeper on Video conferencing and visual collaboration