We are more dependent than ever on video applications for our personal and professional lives. For many, it is now the only way for us to make face to face contact with co-workers and loved ones, even when they are local.
Every organization needs data security practices that address video conferencing as they are replacing physical premises in a way that is going to have a lasting impact.
In the 2016 thriller Snowden, the infamous NSA contractor covers his laptop camera with a Band-Aid, demonstrating his understanding of cyber-attacks and fear of being hacked. While most of us do not have similar issues to worry about, corporate espionage promises lucrative rewards for attackers feeding on weakness and disruption caused by COVID-19. One of the latest trends in security breaches is online video conferencing applications. Clearly secure video conferencing should be a key concern for an enterprise.
An Explosion in Video Conference Application Use
Skype has traditionally been the most favored video conferencing app, but with the “Work-From-Home” induced upheaval in workplaces, businesses are turning to Zoom due to its extreme simplicity (all you need is an email address to join a meeting..which also exposes users to greater risk as noted below) and GoToMeeting conferencing. Microsoft’s Teams, with associated secure file sharing, is seeing increased adoption. Google afficiondo’s are leveraging Google Duo, Google Chat, and Google Hangout. These apps are only the tip of the iceberg, but represent the widest swath of adoption.
Doing a quick Google search on video conferencing benefits will spit out a litany of video conferencing benefits, so we will save it; this piece is for the initiated. What is less understand are the video conference application vulnerabilities and how to secure video conferencing applications. There are numerous instances of cybercriminals gleaning vital data by hacking into these conference applications and an urgent need to secure video conferencing.
Common Security Vulnerabilities In Video Conference Applications
Here are some video conference application security issues and application vulnerabilities to contemplate as your enterprise becomes more reliant on online meetings:
- Recipients need to be extra careful about the conference invite links there are receiving… 25% of all domains registered this year were registered in the past week..many including derivations of “Zoom”, “GoTo..” etc. These links can be used to trick users into unwittingly downloading malware.
- Hackers can record video conferences. Therefore, choosing legitimate video conferencing software is essential. Many large providers claim that they support end-to-end encryption, but these claims can be misleading and video communications are often not encrypted end to end. For example, it was recently reported that Zoom’s claims of end-to-end encryption is misleading as it actually only has transport layer encryption, and does not support end-to-end encryption for video and audio content. This means that anyone within Zoom, or anyone who gains access to your audio and video content through Zoom, will have access to your unencrypted content.
- Unlike hacking into an email or computer, a cybercriminal hacking into your video conferencing application can probe and survey your surroundings. Users need to ensure the security of their physical space. The cover page on a visible stack of documents on your credenza; a diploma on your wall; and pictures of your kids can give away confidential business information or personal data that could be used for social engineering.
- Adversaries can observe how their targets speak and their mannerisms, which can then be used for impersonation and identity theft. Make sure someone has responsibility for checking the attendee logs on meetings…that empty square on the screen that could be anyone might not be invited.
- Users need to practice on-line hygiene when engaging in video conferencing. There should not be any sensitive or confidential images, videos, documents or applications simultaneously open that could be inadvertently exposed.
- Even for confidential information that is intended to be shared on a video call, it is better for the team members to independently view the documents from a secure file sharing app versus simply displaying on the screen.
Specific Security Issues & Vulnerabilities In Some Famous Video Conference Applications
Here are some of the security issues concerning specific conferencing applications that made headlines in the news due to security issues.
Zoom is an excellent conference application but researchers discovered a Zoom security breachwhere it became possible to find out which of the random numbers pertained to Zoom calls. It is a dangerous Zoom security flaw, as hackers can eavesdrop on your conferences and steal critical data.
Another Zoom security issue was a software vulnerability that led to an RCE (Remote Command Execution) on any macOS device even after uninstalling the Zoom app from it. This issue, however, has since been fixed.
More concerning is Zoom’s tendency to downplay security for the benefit of convenience. This has been noted by the New York Attorney General who is seeking further information on security practices implemented by Zoom. It also has misleading marketing around end-to-end encryption as noted above. What other security issues are being swept under the rug as they seek to ramp up more users?
- Make adding passwords a default for meetings.
- Always invite users by their email address.
- If security is a big concern, consider other options that are more transparent about the security they have in place.
Recently, GoToMeeting witnessed a unique vulnerability that allowed multiple CWEs (Common Weakness Enumerations) in PSIRT (GoToMeeting uses this video conferencing tool), thereby exposing its customers to tremendous risk. Luckily, the European security-monitoring firm, Swascan stepped in to resolve the GoToMeeting Vulnerabilities. It asserts that with its timely actions, it is now nearly impossible for hackers to impersonate genuine users or crash a given program.
Skype is a popular video-conferencing application that also allows you to make calls to landline and mobile numbers. The advantage of Skype is that it uses end-to-end encryption for Skype to Skype calls. However, it does not do so for calls that take place over the ordinary phone network. If you have a conference call with two people, one on Skype and the other on a private network, the Skype-to-Skype portion is encrypted, whereas the private network side is not. This is makes Skype not the most secure application.
- To resolve this Skype security issue, use Skype for Business rather than Skype for consumers (Skype-C).
- Limit the Skype-C contacts in your list.
- When communicating with a Skype-C contact, ensure they have adequate privacy measures in place.
Recently Webex had some security issues where strangers could access its password-protected meetings without any authentication. This issue could affect security solutions like firewalls. Upon identifying the problem, Cisco released some software updates to resolve the Webex Security Issues.
“Is Hangout a safe site?” “Are Google Hangout chats private?” are common questions one from Google Hangout users as Google Hangouts is free on Android and iOS. It encrypts hangout conversation, but only during transit. Thus, your messages get exposed to Google servers and can be provided in response to a subpoena. Moreover, good luck getting them to address a security concern specific to your use…that comes with “free”. So, if you are not super concerned about the privacy of your communications, then it is a convenient application to use.
Steps to Enhance Video Conferencing Privacy
Encryption: Encryption of all the audio and video data through suitable software will protect your privacy even if the data is hacked.
Secure server: Secure servers can help organizations maintain the privacy of employees without cutting down on essential communications. They can choose the P2P approach.
Self-hosting: Self-hosting video conferencing software has an added advantage. There is no central cloud computing service which may act as a dragnet for all your data.
Steps to Enhance Video Conferencing Security
- Regular Patching & Updates: Ensure that your video conferencing software is up to date.
- Using Single Sign-on: Use Single Sign-on for user authentication, as it reduces the risk of losing or compromising user credentials. It enables the IT security teams to identify the breaches and lock the system to control the damage.
- Securing Networks: Businesses should use a IDS/IPS or firewall when installing video conferencing equipment. Settings should not permit incoming video calls to be answered automatically.
- Policy & Procedures: Organizations should develop robust video conferencing policies & procedures and ensure that employees follow them for secure video conferencing.
The digital world is changing at an unprecedented rate. Businesses and individuals are moving online for their day-to-day activities. With our increased dependency on online communication, video conferencing and desktop sharing have become crucial. Organizations and individuals need to ensure that they have adequate secure video conferencing measures in place to prevent compromises of their sensitive and confidential data.