With 316 million Americans being asked to stay at home during the COVID-19 pandemic and nearly half of the U.S. population still working from home, video conferencing has suddenly become a critical tool for businesses. In fact, tools for remote work have spiked 84 percent since February, with video conferencing platforms like Webex recently sharing that they host more than 4 million meetings in a single day.

Unfortunately, our rush to work from home and connect through video conferencing has introduced security risks for businesses. Vulnerabilities in popular platforms such as Zoom have filled recent headlines, but my team of hackers in IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.

Over the past month, our team has gone from receiving few calls regarding video conference software assessments to an average of five to six per week. Interestingly, most businesses would come to us before to test for hardware vulnerabilities in video conference cameras. Now that has shifted to concerns about the type of software that could allow strangers to access their private meetings.

Since we’ve had an uptick in requests for this type of analysis from clients, we looked at the top five video conferencing services and their policies and found, unsurprisingly, that all of them support non-member meetings. Basically, these meetings do not require authentication, which means any third-party user can access a meeting using a simple link or code that is typically embedded in email threads and calendar invites. Misuse of unsecured meetings leaves organizations at risk of allowing untrusted individuals access to sensitive information, materials and discussions that weren’t meant for their access.

Over my 20-plus years in the industry, I’ve seen multiple attacks emerge that are extremely clever uses of new vulnerabilities, but the most effective ones are typically far simpler — for better or for worse. The potential for video conferencing platforms to expose sensitive information for the taking is an eye-opener.

The key thing to keep in mind is these platforms all offer various security controls, but like most new technologies, how they’re implemented at scale is what matters. There are encryption, passwords and other controls, so it’s not much of an undertaking to apply policies, but it takes the will to implement and enforce them.

Potential Areas Ripe for Abuse and How to Stop It

While we haven’t publicly heard of any sensitive data being stolen, the “Zoom bombing” phenomenon has become well known. Either way, it’s a preview of how the abuse might work. So, what are the considerations we’re advising clients to think through?

First and foremost, identify your most sensitive meetings. Realistically, businesses are using video conferencing to discuss sensitive information. Think about all the board meetings, financial updates, or merger and acquisition (M&A) conversations that might have taken place in person but are now remote. In a typical organization, these types of meetings make up about 5 percent of all the video conferencing calls a company does in a day. The remaining 95 percent of business meetings aren’t considered as sensitive.

Organizations should look at this problem with a risk-based approach; that means assessing the types of calls they’re conducting via video conferencing platforms and determining confidentiality levels. I often ask clients if they would take a given meeting at a coffee shop, and if they would, would they need to whisper so others couldn’t hear the content? If the answer is yes, it’s most likely a sensitive conversation. Based on those types of assessments, video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.

The other major factor is authentication. With platforms like Zoom adding 100 million daily users just in the past month, the odds of criminals being able to brute force their way into calls are increasing at the same rate. Remember war dialing? Back in the ’80s and ’90s, criminals would (and still do) scan phone numbers to find modems connected to unsecured computers.

Now, with video conferencing, the ability to guess meeting room names or numbers has become just as effective. Most companies use a static web address for their video conferencing platform. I’m sure you’ve clicked on one of these before, something like “videoplatform.acmecorp.com/janedoe.” With a bit of social engineering, crafty criminals can discover the room names for corporate officers and join their meetings without much effort. Similarly, brute-force attacks can be effective against services that use numbered rooms.

To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:

  • Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. Meetings such as board meetings, pre-earnings discussions and M&A discussions that usually occur in person are now moving to video conference. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
  • Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. While these are convenient for the 95 percent of meetings that aren’t highly confidential, such as a quick one-on-one meeting with your manager, sensitive meetings with a bigger group should have a unique meeting identifier. Keep in mind that reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
  • Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls. And if your platform defaults to non-member meetings, make authenticated meetings standard.
  • Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
  • Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
  • Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
  • Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
  • Once Accessed: If your meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

More from Threat Research

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read