Video conferencing applications grew substantially following the outbreak of the coronavirus (COVID-19) global pandemic. According to Research and Markets article “Video Conferencing Demand Rises due to Social-Distancing,” video conferencing software experienced 62 million downloads in March 2020. This increase in use resulted from businesses adopting video conferencing platforms as a means to facilitate their transition to remote work.

Concerns surrounding productivity in a time of unprecedented crisis drove many organizations to quickly embrace video conferencing technology. In so doing, some organizations might have neglected to take the security of video conferencing apps into account. Given that possibility, organizations need to be familiar with the types of security and privacy risks they might have overlooked. Only then can they formulate effective best practices to strengthen their digital security going forward.

Risks Associated With Video Conferencing Apps

The security and privacy risks associated with video conferencing applications break down into two categories: attacks where nefarious individuals take the initiative and security incidents that arise from mistakes.

1. Malicious Actors Take the Lead

One of the most common examples of risk affecting video conferencing apps is a meeting bombing attack. Palo Alto Networks explains that a meeting bombing attack consists of a security incident in which uninvited guests join a video conferencing meeting. They do so after having discovered or successfully guessed the meeting ID using a technique known as “war dialing.”

These attackers may engage in various types of malicious activity. They might choose to disrupt the meeting by sharing inappropriate content or media with the other attendees via sharing their screen. Alternatively, they can remain quiet in an attempt to not alert the meeting host of their presence. If undetected, these actors can use the call to learn about trade secrets and intellectual property. They could also gain more insight into the structure of the organization and then leverage this insight to conduct secondary attacks once the call is complete.

Attackers also can deploy additional malicious techniques before the call finishes. In the article “Video Conferencing Security Issues and Opportunities,” Unify Square notes that these individuals could abuse the chat feature on most video conferencing apps to conduct phishing attacks. They could do this by sending over links that redirect recipients to fake login pages or websites that host malware payloads.

2. Mistakes That Undermine Organizational Security

These types of risks tend to arise once a recorded video conferencing call has concluded. First, organizations need to be concerned about exposing the contents of the call depending on how they manage the recording. They could share a call’s entire meeting folder with colleagues or the public, as an example. But, they might not realize the folder contains all the private chats shared between the host and meeting participants. Such a breach could ruin business deals, undermine public confidence in the company and empower a malicious actor to take action against the affected organization.

Second, organizations need to worry about whether their video conferencing app has adequate security measures in place to prevent attackers from accessing a protected call recording. Most platform vendors offer end-to-end encryption or enable customers to manage their own encryption keys for their recorded calls.

According to the Unify Square article, these implementations suffer from security gaps that could expose calls while they’re in transit or at rest. Malicious actors could subsequently exploit those security holes to access or tamper with the recorded calls, thereby endangering the integrity and confidentiality of the data contained therein.

How To Mitigate Security and Privacy Risks

Fortunately, organizations can take several steps to mitigate the security and privacy risks associated with video conferencing apps. These measures include the following:

  • Be careful about where they share meeting information. Trend Micro notes that organizations need to be careful about where they share the information for upcoming calls. They should avoid displaying this information openly on social media platforms and on their website. If the call is open to the public, organizations can leverage a registration process equipped with a CAPTCHA mechanism to help weed out potential attackers. By contrast, they should consider circulating the invitation via email only if the meeting is internal.
  • Use a password to protect upcoming calls. One of the most common ways attackers commonly access a video conferencing call is by guessing the meeting ID. Organizations can stop the malicious activity by protecting each of their calls with a unique, robust password. This security measure functions as a second step of verification. Even if the attackers have the meeting ID, they won’t be able to join the meeting without the password.
  • Implement waiting rooms. Organizations can still foil malicious actors who find a way to access the call. They can do this by using waiting rooms. This feature allows meeting hosts to review the names of participants requesting entry into the meeting. If they see an unfamiliar name of an attendee, they can refuse to grant entry to that individual. Once the meeting has begun, hosts should then conduct a roll-call. This step well help hosts to confirm the list of attendees and to eject unwanted guests from the meeting.
  • Disable file transfer and automatic screen sharing features. Organizations can use their host controls to limit the types of activity that can occur during a call. For instance, they can disable file transfer features to prevent attackers from attempting to spread malware. They can also disable automatic screen sharing to deter meeting bombing attacks and block legitimate attendees from accidentally sharing sensitive information.
  • Don’t record a meeting unless you need to do so. Computer World reminds us that not every call needs to be recorded. If organizations decide they need the call’s information for future use, they should inform all participants that they will be recording the call. Save the recording by using a unique name and make sure it is stored in a way that follows existing security policies.
  • Act quickly if a compromise is detected. There’s no time to waste if a compromise occurs during a call, advises Charles Henderson, Global Partner and Head of IBM X-Force Red. In the event something malicious does happen, organizations should mute all participants, inform them the call has been compromised and promptly end the call. They should then notify the platform provider about the incident as well as report the event to their legal and security teams.

Security-Minded Focus for the Future

It’s unclear how long organizations will need to continue to use video conferencing apps as the primary means to connect with their employees, business prospects and clients. Security professionals should apply the tips above to build out video conferencing security strategies to be prepared for whatever the future of digital security has in store for their organizations.

More from Software Vulnerabilities

X-Force discovers new vulnerabilities in smart treadmill

7 min read - This research was made possible thanks to contributions from Joshua¬†Merrill. Smart gym equipment is seeing rapid growth in the fitness industry, enabling users to follow customized workouts, stream entertainment on the built-in display, and conveniently track their progress. With the multitude of features available on these internet-connected machines, a group of researchers at IBM X-Force Red considered whether user data was secure and, more importantly, whether there was any risk to the physical safety of users. One of the most…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today