June 1, 2020 By Charles Henderson 5 min read

With 316 million Americans being asked to stay at home during the COVID-19 pandemic and nearly half of the U.S. population still working from home, video conferencing has suddenly become a critical tool for businesses. In fact, tools for remote work have spiked 84 percent since February, with video conferencing platforms like Webex recently sharing that they host more than 4 million meetings in a single day.

Unfortunately, our rush to work from home and connect through video conferencing has introduced security risks for businesses. Vulnerabilities in popular platforms such as Zoom have filled recent headlines, but my team of hackers in IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.

Over the past month, our team has gone from receiving few calls regarding video conference software assessments to an average of five to six per week. Interestingly, most businesses would come to us before to test for hardware vulnerabilities in video conference cameras. Now that has shifted to concerns about the type of software that could allow strangers to access their private meetings.

Since we’ve had an uptick in requests for this type of analysis from clients, we looked at the top five video conferencing services and their policies and found, unsurprisingly, that all of them support non-member meetings. Basically, these meetings do not require authentication, which means any third-party user can access a meeting using a simple link or code that is typically embedded in email threads and calendar invites. Misuse of unsecured meetings leaves organizations at risk of allowing untrusted individuals access to sensitive information, materials and discussions that weren’t meant for their access.

Over my 20-plus years in the industry, I’ve seen multiple attacks emerge that are extremely clever uses of new vulnerabilities, but the most effective ones are typically far simpler — for better or for worse. The potential for video conferencing platforms to expose sensitive information for the taking is an eye-opener.

The key thing to keep in mind is these platforms all offer various security controls, but like most new technologies, how they’re implemented at scale is what matters. There are encryption, passwords and other controls, so it’s not much of an undertaking to apply policies, but it takes the will to implement and enforce them.

Potential Areas Ripe for Abuse and How to Stop It

While we haven’t publicly heard of any sensitive data being stolen, the “Zoom bombing” phenomenon has become well known. Either way, it’s a preview of how the abuse might work. So, what are the considerations we’re advising clients to think through?

First and foremost, identify your most sensitive meetings. Realistically, businesses are using video conferencing to discuss sensitive information. Think about all the board meetings, financial updates, or merger and acquisition (M&A) conversations that might have taken place in person but are now remote. In a typical organization, these types of meetings make up about 5 percent of all the video conferencing calls a company does in a day. The remaining 95 percent of business meetings aren’t considered as sensitive.

Organizations should look at this problem with a risk-based approach; that means assessing the types of calls they’re conducting via video conferencing platforms and determining confidentiality levels. I often ask clients if they would take a given meeting at a coffee shop, and if they would, would they need to whisper so others couldn’t hear the content? If the answer is yes, it’s most likely a sensitive conversation. Based on those types of assessments, video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.

The other major factor is authentication. With platforms like Zoom adding 100 million daily users just in the past month, the odds of criminals being able to brute force their way into calls are increasing at the same rate. Remember war dialing? Back in the ’80s and ’90s, criminals would (and still do) scan phone numbers to find modems connected to unsecured computers.

Now, with video conferencing, the ability to guess meeting room names or numbers has become just as effective. Most companies use a static web address for their video conferencing platform. I’m sure you’ve clicked on one of these before, something like “videoplatform.acmecorp.com/janedoe.” With a bit of social engineering, crafty criminals can discover the room names for corporate officers and join their meetings without much effort. Similarly, brute-force attacks can be effective against services that use numbered rooms.

To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:

  • Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. Meetings such as board meetings, pre-earnings discussions and M&A discussions that usually occur in person are now moving to video conference. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
  • Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. While these are convenient for the 95 percent of meetings that aren’t highly confidential, such as a quick one-on-one meeting with your manager, sensitive meetings with a bigger group should have a unique meeting identifier. Keep in mind that reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
  • Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls. And if your platform defaults to non-member meetings, make authenticated meetings standard.
  • Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
  • Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
  • Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
  • Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
  • Once Accessed: If your meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

More from X-Force

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today