June 1, 2020 By Charles Henderson 5 min read

With 316 million Americans being asked to stay at home during the COVID-19 pandemic and nearly half of the U.S. population still working from home, video conferencing has suddenly become a critical tool for businesses. In fact, tools for remote work have spiked 84 percent since February, with video conferencing platforms like Webex recently sharing that they host more than 4 million meetings in a single day.

Unfortunately, our rush to work from home and connect through video conferencing has introduced security risks for businesses. Vulnerabilities in popular platforms such as Zoom have filled recent headlines, but my team of hackers in IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.

Over the past month, our team has gone from receiving few calls regarding video conference software assessments to an average of five to six per week. Interestingly, most businesses would come to us before to test for hardware vulnerabilities in video conference cameras. Now that has shifted to concerns about the type of software that could allow strangers to access their private meetings.

Since we’ve had an uptick in requests for this type of analysis from clients, we looked at the top five video conferencing services and their policies and found, unsurprisingly, that all of them support non-member meetings. Basically, these meetings do not require authentication, which means any third-party user can access a meeting using a simple link or code that is typically embedded in email threads and calendar invites. Misuse of unsecured meetings leaves organizations at risk of allowing untrusted individuals access to sensitive information, materials and discussions that weren’t meant for their access.

Over my 20-plus years in the industry, I’ve seen multiple attacks emerge that are extremely clever uses of new vulnerabilities, but the most effective ones are typically far simpler — for better or for worse. The potential for video conferencing platforms to expose sensitive information for the taking is an eye-opener.

The key thing to keep in mind is these platforms all offer various security controls, but like most new technologies, how they’re implemented at scale is what matters. There are encryption, passwords and other controls, so it’s not much of an undertaking to apply policies, but it takes the will to implement and enforce them.

Potential Areas Ripe for Abuse and How to Stop It

While we haven’t publicly heard of any sensitive data being stolen, the “Zoom bombing” phenomenon has become well known. Either way, it’s a preview of how the abuse might work. So, what are the considerations we’re advising clients to think through?

First and foremost, identify your most sensitive meetings. Realistically, businesses are using video conferencing to discuss sensitive information. Think about all the board meetings, financial updates, or merger and acquisition (M&A) conversations that might have taken place in person but are now remote. In a typical organization, these types of meetings make up about 5 percent of all the video conferencing calls a company does in a day. The remaining 95 percent of business meetings aren’t considered as sensitive.

Organizations should look at this problem with a risk-based approach; that means assessing the types of calls they’re conducting via video conferencing platforms and determining confidentiality levels. I often ask clients if they would take a given meeting at a coffee shop, and if they would, would they need to whisper so others couldn’t hear the content? If the answer is yes, it’s most likely a sensitive conversation. Based on those types of assessments, video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.

The other major factor is authentication. With platforms like Zoom adding 100 million daily users just in the past month, the odds of criminals being able to brute force their way into calls are increasing at the same rate. Remember war dialing? Back in the ’80s and ’90s, criminals would (and still do) scan phone numbers to find modems connected to unsecured computers.

Now, with video conferencing, the ability to guess meeting room names or numbers has become just as effective. Most companies use a static web address for their video conferencing platform. I’m sure you’ve clicked on one of these before, something like “videoplatform.acmecorp.com/janedoe.” With a bit of social engineering, crafty criminals can discover the room names for corporate officers and join their meetings without much effort. Similarly, brute-force attacks can be effective against services that use numbered rooms.

To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:

  • Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. Meetings such as board meetings, pre-earnings discussions and M&A discussions that usually occur in person are now moving to video conference. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
  • Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. While these are convenient for the 95 percent of meetings that aren’t highly confidential, such as a quick one-on-one meeting with your manager, sensitive meetings with a bigger group should have a unique meeting identifier. Keep in mind that reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
  • Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls. And if your platform defaults to non-member meetings, make authenticated meetings standard.
  • Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
  • Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
  • Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
  • Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
  • Once Accessed: If your meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

More from X-Force

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - Summary As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

CVE-2023-20078 technical analysis: Identifying and triggering a command injection vulnerability in Cisco IP phones

7 min read - CVE-2023-20078 catalogs an unauthenticated command injection vulnerability in the web-based management interface of Cisco 6800, 7800, and 8800 Series IP Phones with Multiplatform Firmware installed; however, limited technical analysis is publicly available. This article presents my findings while researching this vulnerability. In the end, the reader should be equipped with the information necessary to understand and trigger this vulnerability.Vulnerability detailsThe following Cisco Security Advisory (Cisco IP Phone 6800, 7800, and 8800 Series Web UI Vulnerabilities - Cisco) details CVE-2023-20078 and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today