Published Sep 08, 2022 by Xiph
Since the onset of COVID-19 and the ensuing hybrid working model, virtual meetings are now broadly used across many industries like banking, insurance, healthcare, education and government. But the sudden expansion of these services and our reliance on them has raised understandable concerns about risk and security, especially for SMEs and organisations.
Most people would remember seeing reports of ‘Zoom bombing’ which became infamous during the pandemic when hackers gate-crashed Zoom meetings and bombarded attendees with pornography or hate speech. While these incidents were certainly unpleasant, there are far more dangerous security risks associated with virtual meeting solutions. We cover them in detail below.
Video conferencing cyber security risks
Virtual meeting platforms aren’t always built with the highest security standards, and even the most secure ones like Google Meet, Microsoft Teams, and Zoom aren’t immune to prying eyes. During a video conference, sensitive information and data travel across internal and external networks which can be exploited by cybercriminals. Some of the most common cyber threats associated with using video teleconferencing (VTC) include:
- Data breaches
- Infiltration & hijacking of virtual meetings
- Inadequate encryption protocols
- Vulnerable endpoints and networks
The main concern with virtual meeting technology is obviously data protection. So much so, that the FBI issued broad warnings to the public about the potential dangers of video conferencing. Hackers have been known to use VTC as a vector for corporate espionage, data harvesting, or blackmail (and in some instances, all three). They do this primarily by covertly listening in on calls, capturing screen recordings and shared screens, and illegally accessing documents shared during virtual meetings. This is often done surreptitiously for targeted data that’s valuable enough to warrant effort like corporate, personal, financial, or medical information.
Infiltration & hijacking
Zoom meetings can be relatively easy to infiltrate if the proper security settings aren't turned on, such as if a Zoom link meeting is set to public, it can be accessed by anyone with the correct link. Be sure to set all Zoom meetings to private and only share your personal meeting ID with trusted contacts. It’s even possible for some hackers to pre-generate a list of Zoom meeting ID numbers and use algorithms to quickly verify if a selected Zoom meeting ID is valid or not, and then gain entry into said Zoom meetings that aren’t password protected.
VTC software including popular ones like Zoom and Google Hangout also have vulnerabilities that can allow hackers to spy on users through their cameras and microphones. Cybercriminals can also infiltrate a video conference by screen recording a confidential meeting to sell the information to competitors or bad actors, or by covering up information being presented.
The infiltration/hijacking of virtual meetings can present a threat to privacy, identification, or personally identifiable information (PII), and pauses data security risks that could compromise confidential business or corporate information or intellectual property.
Inadequate encryption protocols
There are plenty of documented cases of VTC platforms being raided by online trolls, particularly involving Zoom. A previous gripe with Zoom specifically (which the company has now remedied) was that the platform only used point-to-point encryption (P2PE) instead of end-to-end encryption (E2EE). Both encryption protocols secure communications by encrypting data at the point of interaction (POI), and in transit. However, E2EE goes a step further by protecting attendees’ data with a so-called conference encryption key to prevent unauthorised persons from accessing personal data. This ensures that only meeting participants have the ability to decrypt secure meeting content.
All major video conferring platforms should by now have some kind of end-to-end encryption functionality with a key length of 256-bit, although it’s important to check your organisation’s security benchmarks against the encryption protocols of your VTC platform.
Vulnerable endpoints and networks
If your corporate network isn’t airtight with adequate security like a secure internet connection, network-based firewalls, and automatic security patching, you could be leaving the door open for intrusions. Good network and endpoint security are essential for virtual events, especially if they involve participants from multiple locations. Network security protects interactions between devices regardless of location, while endpoint security protects individual devices. Security vulnerabilities in video conferencing devices like laptops and tablets can be remotely exploited by hackers.
Keep in mind that settings for home Wi-Fi networks for video conferencing aren’t secure by default so be sure to change default passwords for your router and Wi-Fi network when working from home to prevent malicious actors from compromising sensitive data. Check that you’re using encrypted Wi-Fi too.
How to secure virtual meetings
Here are some simple steps you can take to minimise your security risks with video conferencing:
- Use a VTC platform with a robust and transparent security program: Do your research on any video conferencing tool(s) you plan to use, especially around their privacy policies and security protocols to check for potential vulnerabilities. Make sure it has multiple layers of protection against modern threats and end-to-end encryption.
- Avoid sharing files on messaging or VTC platforms: Don’t share confidential business information on VTC platforms as some may lack end-to-end encryption. Opt for email and cloud sharing instead.
- Don’t share video conference links: Only send invitations to virtual meetings through secure channels like email and to trusted participants and avoid posting them to messaging platforms or social media.
- Password protect all your virtual meetings: Make all your virtual meetings password protected to ensure that only invited attendees can access your meeting. Passwords will help you block any intruder or malicious actor from infiltrating your meetings. You’ll need to create a unique meeting ID and a new password for each meeting in order to restrict access. For maximum safety, activate passwords for new meetings, instant meetings, personal meetings, and people joining by phone. Organisations should require the approval of any ‘join’ requests by external attendees to reduce the risk of someone eavesdropping or actively disrupting a session.
- Lock all sensitive virtual meetings: Lock all sensitive/confidential video conference meetings once every participant has joined. This will make it harder for bad actors to sneak into a meeting to gain access to sensitive information. To lock your virtual meetings, go to the ‘Manage Participants’ window, and select ‘Lock Meeting’. No participants will be permitted entry to the meeting while it’s locked.
- Limit screen sharing: To reduce the chances of users (either welcome or unwelcome) taking control of your screen or ‘Zoom bombing’ while you’re presenting, select the option to block everyone except the host (you) from screen sharing. Once you start a meeting, check your ‘Share Screen’ settings by clicking the security shield on the meeting controls.
- Set up a waiting room: Control when a participant joins the meeting by setting up a virtual waiting room (which most video conferencing software offer as a standard feature). This allows you to place participants in a separate ‘room’ before the host (you) can accept them into the meeting, either one by one or all together.
How do you know if a video conferencing platform is secure?
Secure video conferencing platforms must meet industry standard requirements around the protection of video content and metadata like names, roles, email addresses, usernames, and passwords of registered users, as well as information about devices they use.
Secure video conferencing should also use 256-bit AES GCM encryption for audio, video, and application sharing (i.e. screen sharing, whiteboarding, etc.) between meeting applications, clients, and connectors.
Secure video conferencing platforms will also typically have a proven track record of offering optimal privacy and cyber security. How they remediate security vulnerabilities in their web conferencing solution will also be an indicator of trust.
Lastly, secure video conferencing platforms should support passwords for all participants, including a different host password as well as randomised meeting IDs and encryption. Security options for hosts should include a waiting room feature, the ability to control audio and video of all participants, control of content sharing, and the ability to lock a meeting once all intended participants have joined.
A final word
Virtual meetings aren’t fail-safe and represent a cyber security risk for organisations and businesses that rely on those VTC platforms for day-to-day communications and to conduct their operations. You can speak to cyber security experts about extra precautions you can take when video conferencing. Contact us via email: [email protected]
Posted in: Security