Video conferencing applications grew substantially following the outbreak of the coronavirus (COVID-19) global pandemic. According to Research and Markets article “Video Conferencing Demand Rises due to Social-Distancing,” video conferencing software experienced 62 million downloads in March 2020. This increase in use resulted from businesses adopting video conferencing platforms as a means to facilitate their transition to remote work.
Concerns surrounding productivity in a time of unprecedented crisis drove many organizations to quickly embrace video conferencing technology. In so doing, some organizations might have neglected to take the security of video conferencing apps into account. Given that possibility, organizations need to be familiar with the types of security and privacy risks they might have overlooked. Only then can they formulate effective best practices to strengthen their digital security going forward.
Risks Associated With Video Conferencing Apps
The security and privacy risks associated with video conferencing applications break down into two categories: attacks where nefarious individuals take the initiative and security incidents that arise from mistakes.
1. Malicious Actors Take the Lead
One of the most common examples of risk affecting video conferencing apps is a meeting bombing attack. Palo Alto Networks explains that a meeting bombing attack consists of a security incident in which uninvited guests join a video conferencing meeting. They do so after having discovered or successfully guessed the meeting ID using a technique known as “war dialing.”
These attackers may engage in various types of malicious activity. They might choose to disrupt the meeting by sharing inappropriate content or media with the other attendees via sharing their screen. Alternatively, they can remain quiet in an attempt to not alert the meeting host of their presence. If undetected, these actors can use the call to learn about trade secrets and intellectual property. They could also gain more insight into the structure of the organization and then leverage this insight to conduct secondary attacks once the call is complete.
Attackers also can deploy additional malicious techniques before the call finishes. In the article “Video Conferencing Security Issues and Opportunities,” Unify Square notes that these individuals could abuse the chat feature on most video conferencing apps to conduct phishing attacks. They could do this by sending over links that redirect recipients to fake login pages or websites that host malware payloads.
2. Mistakes That Undermine Organizational Security
These types of risks tend to arise once a recorded video conferencing call has concluded. First, organizations need to be concerned about exposing the contents of the call depending on how they manage the recording. They could share a call’s entire meeting folder with colleagues or the public, as an example. But, they might not realize the folder contains all the private chats shared between the host and meeting participants. Such a breach could ruin business deals, undermine public confidence in the company and empower a malicious actor to take action against the affected organization.
Second, organizations need to worry about whether their video conferencing app has adequate security measures in place to prevent attackers from accessing a protected call recording. Most platform vendors offer end-to-end encryption or enable customers to manage their own encryption keys for their recorded calls.
According to the Unify Square article, these implementations suffer from security gaps that could expose calls while they’re in transit or at rest. Malicious actors could subsequently exploit those security holes to access or tamper with the recorded calls, thereby endangering the integrity and confidentiality of the data contained therein.
How To Mitigate Security and Privacy Risks
Fortunately, organizations can take several steps to mitigate the security and privacy risks associated with video conferencing apps. These measures include the following:
- Be careful about where they share meeting information. Trend Micro notes that organizations need to be careful about where they share the information for upcoming calls. They should avoid displaying this information openly on social media platforms and on their website. If the call is open to the public, organizations can leverage a registration process equipped with a CAPTCHA mechanism to help weed out potential attackers. By contrast, they should consider circulating the invitation via email only if the meeting is internal.
- Use a password to protect upcoming calls. One of the most common ways attackers commonly access a video conferencing call is by guessing the meeting ID. Organizations can stop the malicious activity by protecting each of their calls with a unique, robust password. This security measure functions as a second step of verification. Even if the attackers have the meeting ID, they won’t be able to join the meeting without the password.
- Implement waiting rooms. Organizations can still foil malicious actors who find a way to access the call. They can do this by using waiting rooms. This feature allows meeting hosts to review the names of participants requesting entry into the meeting. If they see an unfamiliar name of an attendee, they can refuse to grant entry to that individual. Once the meeting has begun, hosts should then conduct a roll-call. This step well help hosts to confirm the list of attendees and to eject unwanted guests from the meeting.
- Disable file transfer and automatic screen sharing features. Organizations can use their host controls to limit the types of activity that can occur during a call. For instance, they can disable file transfer features to prevent attackers from attempting to spread malware. They can also disable automatic screen sharing to deter meeting bombing attacks and block legitimate attendees from accidentally sharing sensitive information.
- Don’t record a meeting unless you need to do so. Computer World reminds us that not every call needs to be recorded. If organizations decide they need the call’s information for future use, they should inform all participants that they will be recording the call. Save the recording by using a unique name and make sure it is stored in a way that follows existing security policies.
- Act quickly if a compromise is detected. There’s no time to waste if a compromise occurs during a call, advises Charles Henderson, Global Partner and Head of IBM X-Force Red. In the event something malicious does happen, organizations should mute all participants, inform them the call has been compromised and promptly end the call. They should then notify the platform provider about the incident as well as report the event to their legal and security teams.
Security-Minded Focus for the Future
It’s unclear how long organizations will need to continue to use video conferencing apps as the primary means to connect with their employees, business prospects and clients. Security professionals should apply the tips above to build out video conferencing security strategies to be prepared for whatever the future of digital security has in store for their organizations.
David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Trip...