Video conferencing applications grew substantially following the outbreak of the coronavirus (COVID-19) global pandemic. According to Research and Markets article “Video Conferencing Demand Rises due to Social-Distancing,” video conferencing software experienced 62 million downloads in March 2020. This increase in use resulted from businesses adopting video conferencing platforms as a means to facilitate their transition to remote work.

Concerns surrounding productivity in a time of unprecedented crisis drove many organizations to quickly embrace video conferencing technology. In so doing, some organizations might have neglected to take the security of video conferencing apps into account. Given that possibility, organizations need to be familiar with the types of security and privacy risks they might have overlooked. Only then can they formulate effective best practices to strengthen their digital security going forward.

Risks Associated With Video Conferencing Apps

The security and privacy risks associated with video conferencing applications break down into two categories: attacks where nefarious individuals take the initiative and security incidents that arise from mistakes.

1. Malicious Actors Take the Lead

One of the most common examples of risk affecting video conferencing apps is a meeting bombing attack. Palo Alto Networks explains that a meeting bombing attack consists of a security incident in which uninvited guests join a video conferencing meeting. They do so after having discovered or successfully guessed the meeting ID using a technique known as “war dialing.”

These attackers may engage in various types of malicious activity. They might choose to disrupt the meeting by sharing inappropriate content or media with the other attendees via sharing their screen. Alternatively, they can remain quiet in an attempt to not alert the meeting host of their presence. If undetected, these actors can use the call to learn about trade secrets and intellectual property. They could also gain more insight into the structure of the organization and then leverage this insight to conduct secondary attacks once the call is complete.

Attackers also can deploy additional malicious techniques before the call finishes. In the article “Video Conferencing Security Issues and Opportunities,” Unify Square notes that these individuals could abuse the chat feature on most video conferencing apps to conduct phishing attacks. They could do this by sending over links that redirect recipients to fake login pages or websites that host malware payloads.

2. Mistakes That Undermine Organizational Security

These types of risks tend to arise once a recorded video conferencing call has concluded. First, organizations need to be concerned about exposing the contents of the call depending on how they manage the recording. They could share a call’s entire meeting folder with colleagues or the public, as an example. But, they might not realize the folder contains all the private chats shared between the host and meeting participants. Such a breach could ruin business deals, undermine public confidence in the company and empower a malicious actor to take action against the affected organization.

Second, organizations need to worry about whether their video conferencing app has adequate security measures in place to prevent attackers from accessing a protected call recording. Most platform vendors offer end-to-end encryption or enable customers to manage their own encryption keys for their recorded calls.

According to the Unify Square article, these implementations suffer from security gaps that could expose calls while they’re in transit or at rest. Malicious actors could subsequently exploit those security holes to access or tamper with the recorded calls, thereby endangering the integrity and confidentiality of the data contained therein.

How To Mitigate Security and Privacy Risks

Fortunately, organizations can take several steps to mitigate the security and privacy risks associated with video conferencing apps. These measures include the following:

  • Be careful about where they share meeting information. Trend Micro notes that organizations need to be careful about where they share the information for upcoming calls. They should avoid displaying this information openly on social media platforms and on their website. If the call is open to the public, organizations can leverage a registration process equipped with a CAPTCHA mechanism to help weed out potential attackers. By contrast, they should consider circulating the invitation via email only if the meeting is internal.
  • Use a password to protect upcoming calls. One of the most common ways attackers commonly access a video conferencing call is by guessing the meeting ID. Organizations can stop the malicious activity by protecting each of their calls with a unique, robust password. This security measure functions as a second step of verification. Even if the attackers have the meeting ID, they won’t be able to join the meeting without the password.
  • Implement waiting rooms. Organizations can still foil malicious actors who find a way to access the call. They can do this by using waiting rooms. This feature allows meeting hosts to review the names of participants requesting entry into the meeting. If they see an unfamiliar name of an attendee, they can refuse to grant entry to that individual. Once the meeting has begun, hosts should then conduct a roll-call. This step well help hosts to confirm the list of attendees and to eject unwanted guests from the meeting.
  • Disable file transfer and automatic screen sharing features. Organizations can use their host controls to limit the types of activity that can occur during a call. For instance, they can disable file transfer features to prevent attackers from attempting to spread malware. They can also disable automatic screen sharing to deter meeting bombing attacks and block legitimate attendees from accidentally sharing sensitive information.
  • Don’t record a meeting unless you need to do so. Computer World reminds us that not every call needs to be recorded. If organizations decide they need the call’s information for future use, they should inform all participants that they will be recording the call. Save the recording by using a unique name and make sure it is stored in a way that follows existing security policies.
  • Act quickly if a compromise is detected. There’s no time to waste if a compromise occurs during a call, advises Charles Henderson, Global Partner and Head of IBM X-Force Red. In the event something malicious does happen, organizations should mute all participants, inform them the call has been compromised and promptly end the call. They should then notify the platform provider about the incident as well as report the event to their legal and security teams.

Security-Minded Focus for the Future

It’s unclear how long organizations will need to continue to use video conferencing apps as the primary means to connect with their employees, business prospects and clients. Security professionals should apply the tips above to build out video conferencing security strategies to be prepared for whatever the future of digital security has in store for their organizations.

More from Software Vulnerabilities

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…