Zoom mishaps have provided us with much comic relief while we’re trying to adjust to safe meetings online. We’ll never forget the lawyer who wasn’t really a cat and the boss who was a potato. Zoom backgrounds weren’t left out of the fun either. They gave us laughs, like the student who used Danny DeVito’s head as his background.

But your employees’ Zoom backgrounds can pose a higher risk than just your company becoming the latest internet fodder. Personal information shown during a Zoom call can actually be the cause of a costly and damaging cybersecurity attack. Look at how keeping an eye on your background contributes to safe meetings online.

Is Zoom Video Conferencing Secure?

Over the past year, you’ve likely coached employees on creating a professional-looking Zoom backdrop — no views of bedrooms, toilets or laundry piles. But the setting that many choose for a professional backdrop, with a view of the living room or a bookcase, often includes photos and memorabilia. Or perhaps the camera shows a package or envelope on the desk or on a table behind the employee. Attackers who sneak into the meeting can use the personal details shown in a Zoom background to attempt to gain access to your organization’s network. Along with Skype security issues and other common video conferencing problems, the background can provide attackers with information.

What seem like safe meetings online can actually tell a lot about you. For example, an attacker might see the college pendant on the wall behind you declaring you’re a Florida Gators fan. From your photos, they may learn that you have a beloved dog named Charlie and that you were married on June 15, 1998 — thanks to the personalized picture frames. You also have a family portrait on the bookcase, proudly showing off your three school-age children. On one call, you have a piece of mail on your desk that shows both your home address and your birthday.

Password Cracking: Classic but Still Relevant

Another common way attackers can use information they see in your home office is to decode passwords. Many people use passwords based on their family, pets and interests. Other common choices are special dates such as birthdays and anniversaries. By using password cracking tools, they can start the sleuthing with variations of Charlie, your birthday, your anniversary date and the Gators. People often use the same passwords for multiple logins, even though advised not to. Therefore, criminals can crack the code and gain access to many systems and applications, including work apps and email.

Social Engineering Gets Personal

Social engineering schemes can also stem from attackers getting a peek into otherwise safe meetings online. With this type of attack, threat actors design a scenario to get a person to click on a link, download a file or launch a video. From there, malware launches onto their device. Next, the attacker can get into the networks the device is connected to. Because the goal is to create an email that looks like one you may actually receive, it’s helpful to get insight into what you might be fooled into clicking on.

As companies have increased cybersecurity training, threat actors must make their emails or messages seem as real as possible. Because the attacker knows that you have school-age children, they may send a somewhat generic email about signing up for snacks. Or you might get an email claiming to be from a Florida Gators fan club with a link to a video from last week’s game.

Because both of these emails are likely similar to emails that you actually get in your inbox, or at least related to subjects that you care about, you are more likely to click on the email thinking it’s real than a very generic email or one on a subject not of interest to you.

While each of these types of attacks starts with a single employee, the malware can quickly spread throughout the network. Once the malware enters the network, it can damage or steal sensitive data as well as infect other devices. Unfortunately, a single employee who clicks on an unsuspecting email can cause a major incident that can cost a lot of time and damage your reputation.

How Threat Actors Gain Access to Zoom Calls

You may think that this type of attack can’t happen at your company, or there are very low odds of it happening, because it would require an internal leak or be an inside job. That would be incorrect. Attackers can use this technique through public video calls, such as media interviews, webinars and even conference sessions. Any calls with vendors and customers also open up your employees’ home offices to a wider threat pool.

Additionally, an employee could share a screenshot of a Zoom call on their own social media accounts that inadvertently shows personal details in a co-worker’s background. Not to mention, many employees like to show off their home offices on their personal social media accounts, which are typically very similar to their Zoom backgrounds. Even if you’re holding safe meetings online, posting photos from work can give attackers information.

If your company or any employees record Zoom calls and store the videos on the cloud, you are also creating a potential vulnerability. Even more concerning are calls that other parties (such as vendors, media and customers) may record and then store on their own cloud. Also, many companies forget to delete Zoom recordings that are no longer needed. Criminals can break into the video storage through your company network and mine those calls for details in the Zoom background.

Video Conference Security Issues

Like many aspects of cybersecurity, keeping your company safe from the vulnerabilities of Zoom calls starts with employee training. Be sure to include the following in your cybersecurity employee training so you can hold safe meetings online:

  • Have all employees remove personal items from their Zoom backgrounds, such as photos and memorabilia, even for internal calls.
  • Discuss the importance of making sure home addresses or birth dates are not visible in calls.
  • Create a company-approved Zoom background, such as a photo of your conference rooms or office areas, for all employees. You may want to create a couple different ones to give employees some options to choose from.
  • Require employees to use a company-approved Zoom background for calls with people outside the company or in another location.

Remote work has created new cybersecurity issues. Companies must continue to train employees on the ways they could unintentionally help an attacker while trying to hold safe meetings online. By including video conferencing security best practices in new employee orientation, as well as in ongoing awareness training, you can reduce the risk of a threat actor seeing something they shouldn’t — not to mention your coworkers seeing your laundry.

More from Software Vulnerabilities

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

8 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

10 min read