With 316 million Americans being asked to stay at home during the COVID-19 pandemic and nearly half of the U.S. population still working from home, video conferencing has suddenly become a critical tool for businesses. In fact, tools for remote work have spiked 84 percent since February, with video conferencing platforms like Webex recently sharing that they host more than 4 million meetings in a single day.

Unfortunately, our rush to work from home and connect through video conferencing has introduced security risks for businesses. Vulnerabilities in popular platforms such as Zoom have filled recent headlines, but my team of hackers in IBM’s X-Force Red have observed an issue that was looming long before the pandemic: Corporations are not applying security policies for virtual meetings.

Over the past month, our team has gone from receiving few calls regarding video conference software assessments to an average of five to six per week. Interestingly, most businesses would come to us before to test for hardware vulnerabilities in video conference cameras. Now that has shifted to concerns about the type of software that could allow strangers to access their private meetings.

Since we’ve had an uptick in requests for this type of analysis from clients, we looked at the top five video conferencing services and their policies and found, unsurprisingly, that all of them support non-member meetings. Basically, these meetings do not require authentication, which means any third-party user can access a meeting using a simple link or code that is typically embedded in email threads and calendar invites. Misuse of unsecured meetings leaves organizations at risk of allowing untrusted individuals access to sensitive information, materials and discussions that weren’t meant for their access.

Over my 20-plus years in the industry, I’ve seen multiple attacks emerge that are extremely clever uses of new vulnerabilities, but the most effective ones are typically far simpler — for better or for worse. The potential for video conferencing platforms to expose sensitive information for the taking is an eye-opener.

The key thing to keep in mind is these platforms all offer various security controls, but like most new technologies, how they’re implemented at scale is what matters. There are encryption, passwords and other controls, so it’s not much of an undertaking to apply policies, but it takes the will to implement and enforce them.

Potential Areas Ripe for Abuse and How to Stop It

While we haven’t publicly heard of any sensitive data being stolen, the “Zoom bombing” phenomenon has become well known. Either way, it’s a preview of how the abuse might work. So, what are the considerations we’re advising clients to think through?

First and foremost, identify your most sensitive meetings. Realistically, businesses are using video conferencing to discuss sensitive information. Think about all the board meetings, financial updates, or merger and acquisition (M&A) conversations that might have taken place in person but are now remote. In a typical organization, these types of meetings make up about 5 percent of all the video conferencing calls a company does in a day. The remaining 95 percent of business meetings aren’t considered as sensitive.

Organizations should look at this problem with a risk-based approach; that means assessing the types of calls they’re conducting via video conferencing platforms and determining confidentiality levels. I often ask clients if they would take a given meeting at a coffee shop, and if they would, would they need to whisper so others couldn’t hear the content? If the answer is yes, it’s most likely a sensitive conversation. Based on those types of assessments, video conferencing security policies should be built and communicated at every job level — from executive assistants to the wider legal team, all groups need to be aware of potential risks.

The other major factor is authentication. With platforms like Zoom adding 100 million daily users just in the past month, the odds of criminals being able to brute force their way into calls are increasing at the same rate. Remember war dialing? Back in the ’80s and ’90s, criminals would (and still do) scan phone numbers to find modems connected to unsecured computers.

Now, with video conferencing, the ability to guess meeting room names or numbers has become just as effective. Most companies use a static web address for their video conferencing platform. I’m sure you’ve clicked on one of these before, something like “videoplatform.acmecorp.com/janedoe.” With a bit of social engineering, crafty criminals can discover the room names for corporate officers and join their meetings without much effort. Similarly, brute-force attacks can be effective against services that use numbered rooms.

To help businesses start their security strategy for confidential meetings, here are some tips to help create greater privacy and control:

  • Confidential Call Policies: Have employees evaluate their meetings’ sensitivity when they’re first scheduled. This will help determine what security protocols are needed. Meetings such as board meetings, pre-earnings discussions and M&A discussions that usually occur in person are now moving to video conference. A good rule of thumb is, would you normally take the meeting at a coffee shop? If not, consider it confidential.
  • Consider Unique Meeting IDs: Many platforms give users a standard meeting room name, which is often a predictable combination of the company and individual’s name. While these are convenient for the 95 percent of meetings that aren’t highly confidential, such as a quick one-on-one meeting with your manager, sensitive meetings with a bigger group should have a unique meeting identifier. Keep in mind that reusing room names allows previously invited participants to join all future meetings with the same name — sensitive or otherwise.
  • Implement Meeting Passwords/PINs: For an extra layer of security, beyond a unique meeting ID, apply unique passwords or PINs so only invited participants can join calls. And if your platform defaults to non-member meetings, make authenticated meetings standard.
  • Roll Call: Meeting hosts should make sure they know everyone on their sensitive calls; do this with a simple roll call before the meeting starts. This will help to identify participants dialing in using nameless phone numbers instead of a profile, similar to what non-member meetings allow.
  • Revise Settings: Take advantage of features like waiting rooms that require the host to add attendees to the meeting. Other controls, such as disabling the ability to join a meeting before the host arrives, can keep participants from accidentally discussing sensitive information before knowing who is on the call.
  • Notifications: Turn on notifications to keep track of who enters the meeting room at any given time, and make use of both visual and audible notifications so nothing goes unnoticed.
  • Alternate Hosts/Password Sharing: Apply policies that prohibit employees from sharing meeting room passwords and allowing alternate host permissions to avoid credentials falling into the wrong hands.
  • Once Accessed: If your meeting has already been compromised, the best thing to do is end it immediately — powering through the call only puts sensitive information at risk. And if for some reason you can’t do this immediately, notify and mute all participants so they are aware of the intruder and know not to divulge any further information while you work to end the call. Once the call has ended, report the issue to the platform provider as soon as possible and report the incident to your company’s legal and security teams.

Watch Charles Henderson, X-Force Red’s Global Head, Managing Partner and veteran hacker, present an in-depth recorded event presentation about the COVID-19 threat landscape.

More from Threat Research

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read

Your private information is probably being sold on the dark web. How can criminals use it?

18 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Late last year, a well-known ride share app and a gaming company were hacked using well-crafted social engineering attacks. Many organizations think they’re safe from attacks by employing top-of-the-line security practices, tools and systems. Those will help deter many types of attacks, but social engineering is a stealthy method savvy threat actors can use to circumvent those measures. And they obviously do it successfully. Social engineering involves…

18 min read

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read