June 1, 2020 By Charles Henderson 5 min read

With 316 million Americans being asked to stay at home during the COVID-19 pandemic and nearly half of the U.S. population still working from home, video conferencing has suddenly become a critical tool for businesses. In fact, tools for remote work have spiked 84 percent since February, with video conferencing platforms like Webex recently sharing that they host more than 4 million meetings in a single day.

Unfortunately, our rush to work from home and connect through video conferencing has introduced security risks for businesses. Vulnerabilities in popular platforms such as Zoom have filled recent headlines, but my team of hackers in IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.

Over the past month, our team has gone from receiving few calls regarding video conference software assessments to an average of five to six per week. Interestingly, most businesses would come to us before to test for hardware vulnerabilities in video conference cameras. Now that has shifted to concerns about the type of software that could allow strangers to access their private meetings.

Since we’ve had an uptick in requests for this type of analysis from clients, we looked at the top five video conferencing services and their policies and found, unsurprisingly, that all of them support non-member meetings. Basically, these meetings do not require authentication, which means any third-party user can access a meeting using a simple link or code that is typically embedded in email threads and calendar invites. Misuse of unsecured meetings leaves organizations at risk of allowing untrusted individuals access to sensitive information, materials and discussions that weren’t meant for their access.

Over my 20-plus years in the industry, I’ve seen multiple attacks emerge that are extremely clever uses of new vulnerabilities, but the most effective ones are typically far simpler — for better or for worse. The potential for video conferencing platforms to expose sensitive information for the taking is an eye-opener.

The key thing to keep in mind is these platforms all offer various security controls, but like most new technologies, how they’re implemented at scale is what matters. There are encryption, passwords and other controls, so it’s not much of an undertaking to apply policies, but it takes the will to implement and enforce them.

Potential Areas Ripe for Abuse and How to Stop It

While we haven’t publicly heard of any sensitive data being stolen, the “Zoom bombing” phenomenon has become well known. Either way, it’s a preview of how the abuse might work. So, what are the considerations we’re advising clients to think through?

First and foremost, identify your most sensitive meetings. Realistically, businesses are using video conferencing to discuss sensitive information. Think about all the board meetings, financial updates, or merger and acquisition (M&A) conversations that might have taken place in person but are now remote. In a typical organization, these types of meetings make up about 5 percent of all the video conferencing calls a company does in a day. The remaining 95 percent of business meetings aren’t considered as sensitive.

Organizations should look at this problem with a risk-based approach; that means assessing the types of calls they’re conducting via video conferencing platforms and determining confidentiality levels. I often ask clients if they would take a given meeting at a coffee shop, and if they would, would they need to whisper so others couldn’t hear the content? If the answer is yes, it’s most likely a sensitive conversation. Based on those types of assessments, video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.

The other major factor is authentication. With platforms like Zoom adding 100 million daily users just in the past month, the odds of criminals being able to brute force their way into calls are increasing at the same rate. Remember war dialing? Back in the ’80s and ’90s, criminals would (and still do) scan phone numbers to find modems connected to unsecured computers.

Now, with video conferencing, the ability to guess meeting room names or numbers has become just as effective. Most companies use a static web address for their video conferencing platform. I’m sure you’ve clicked on one of these before, something like “videoplatform.acmecorp.com/janedoe.” With a bit of social engineering, crafty criminals can discover the room names for corporate officers and join their meetings without much effort. Similarly, brute-force attacks can be effective against services that use numbered rooms.

To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:

  • Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. Meetings such as board meetings, pre-earnings discussions and M&A discussions that usually occur in person are now moving to video conference. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
  • Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. While these are convenient for the 95 percent of meetings that aren’t highly confidential, such as a quick one-on-one meeting with your manager, sensitive meetings with a bigger group should have a unique meeting identifier. Keep in mind that reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
  • Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls. And if your platform defaults to non-member meetings, make authenticated meetings standard.
  • Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
  • Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
  • Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
  • Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
  • Once Accessed: If your meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

More from X-Force

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today