Zoom mishaps have provided us with much comic relief while we’re trying to adjust to safe meetings online. We’ll never forget the lawyer who wasn’t really a cat and the boss who was a potato. Zoom backgrounds weren’t left out of the fun either. They gave us laughs, like the student who used Danny DeVito’s head as his background.

But your employees’ Zoom backgrounds can pose a higher risk than just your company becoming the latest internet fodder. Personal information shown during a Zoom call can actually be the cause of a costly and damaging cybersecurity attack. Look at how keeping an eye on your background contributes to safe meetings online.

Is Zoom Video Conferencing Secure?

Over the past year, you’ve likely coached employees on creating a professional-looking Zoom backdrop — no views of bedrooms, toilets or laundry piles. But the setting that many choose for a professional backdrop, with a view of the living room or a bookcase, often includes photos and memorabilia. Or perhaps the camera shows a package or envelope on the desk or on a table behind the employee. Attackers who sneak into the meeting can use the personal details shown in a Zoom background to attempt to gain access to your organization’s network. Along with Skype security issues and other common video conferencing problems, the background can provide attackers with information.

What seem like safe meetings online can actually tell a lot about you. For example, an attacker might see the college pendant on the wall behind you declaring you’re a Florida Gators fan. From your photos, they may learn that you have a beloved dog named Charlie and that you were married on June 15, 1998 — thanks to the personalized picture frames. You also have a family portrait on the bookcase, proudly showing off your three school-age children. On one call, you have a piece of mail on your desk that shows both your home address and your birthday.

Password Cracking: Classic but Still Relevant

Another common way attackers can use information they see in your home office is to decode passwords. Many people use passwords based on their family, pets and interests. Other common choices are special dates such as birthdays and anniversaries. By using password cracking tools, they can start the sleuthing with variations of Charlie, your birthday, your anniversary date and the Gators. People often use the same passwords for multiple logins, even though advised not to. Therefore, criminals can crack the code and gain access to many systems and applications, including work apps and email.

Social Engineering Gets Personal

Social engineering schemes can also stem from attackers getting a peek into otherwise safe meetings online. With this type of attack, threat actors design a scenario to get a person to click on a link, download a file or launch a video. From there, malware launches onto their device. Next, the attacker can get into the networks the device is connected to. Because the goal is to create an email that looks like one you may actually receive, it’s helpful to get insight into what you might be fooled into clicking on.

As companies have increased cybersecurity training, threat actors must make their emails or messages seem as real as possible. Because the attacker knows that you have school-age children, they may send a somewhat generic email about signing up for snacks. Or you might get an email claiming to be from a Florida Gators fan club with a link to a video from last week’s game.

Because both of these emails are likely similar to emails that you actually get in your inbox, or at least related to subjects that you care about, you are more likely to click on the email thinking it’s real than a very generic email or one on a subject not of interest to you.

While each of these types of attacks starts with a single employee, the malware can quickly spread throughout the network. Once the malware enters the network, it can damage or steal sensitive data as well as infect other devices. Unfortunately, a single employee who clicks on an unsuspecting email can cause a major incident that can cost a lot of time and damage your reputation.

How Threat Actors Gain Access to Zoom Calls

You may think that this type of attack can’t happen at your company, or there are very low odds of it happening, because it would require an internal leak or be an inside job. That would be incorrect. Attackers can use this technique through public video calls, such as media interviews, webinars and even conference sessions. Any calls with vendors and customers also open up your employees’ home offices to a wider threat pool.

Additionally, an employee could share a screenshot of a Zoom call on their own social media accounts that inadvertently shows personal details in a co-worker’s background. Not to mention, many employees like to show off their home offices on their personal social media accounts, which are typically very similar to their Zoom backgrounds. Even if you’re holding safe meetings online, posting photos from work can give attackers information.

If your company or any employees record Zoom calls and store the videos on the cloud, you are also creating a potential vulnerability. Even more concerning are calls that other parties (such as vendors, media and customers) may record and then store on their own cloud. Also, many companies forget to delete Zoom recordings that are no longer needed. Criminals can break into the video storage through your company network and mine those calls for details in the Zoom background.

Video Conference Security Issues

Like many aspects of cybersecurity, keeping your company safe from the vulnerabilities of Zoom calls starts with employee training. Be sure to include the following in your cybersecurity employee training so you can hold safe meetings online:

  • Have all employees remove personal items from their Zoom backgrounds, such as photos and memorabilia, even for internal calls.
  • Discuss the importance of making sure home addresses or birth dates are not visible in calls.
  • Create a company-approved Zoom background, such as a photo of your conference rooms or office areas, for all employees. You may want to create a couple different ones to give employees some options to choose from.
  • Require employees to use a company-approved Zoom background for calls with people outside the company or in another location.

Remote work has created new cybersecurity issues. Companies must continue to train employees on the ways they could unintentionally help an attacker while trying to hold safe meetings online. By including video conferencing security best practices in new employee orientation, as well as in ongoing awareness training, you can reduce the risk of a threat actor seeing something they shouldn’t — not to mention your coworkers seeing your laundry.

More from Software Vulnerabilities

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

In September 2022, Microsoft patched an information disclosure vulnerability in SPNEGO NEGOEX (CVE-2022-37958). On December 13, Microsoft reclassified the vulnerability as “Critical” severity after IBM Security X-Force Red Security Researcher Valentina Palmiotti discovered the vulnerability could allow attackers to remotely execute code. The vulnerability is in the SPNEGO Extended Negotiation (NEGOEX) Security Mechanism, which allows a client and server to negotiate the choice of security mechanism to use. This vulnerability is a pre-authentication remote code execution vulnerability impacting a wide…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…