Is Zoom Simply the Canary in the Coal Mine?
Video Conferencing in 2019
It seems as if it were just yesterday when unified communications and video conferencing were relatively simple. Microsoft and Cisco ruled the roost in terms of market share. However, Zoom was the industry darling — much easier to use and more fun to use as well. Back in the pre–COVID-19 days, a significant portion of knowledge workers spent their days working IN the office. Also, primarily because most people were IN the office, there seemed to be a greater hesitation and/or set of occurrences when they used video for a conference call.
Finally, and perhaps most importantly, there was a clear separation between conferences for WORK and conferences for social/non-work reasons. And, the UC (unified communications) platforms employed for these different conference types were mostly clearly delineated — e.g., Cisco, Zoom, and Microsoft for work and LogMeIn, HouseParty and Skype for consumer. And video conferencing security issues — was that really something to be concerned with?
Video Conferencing Post-CORONA-19
But then suddenly things changed. Beginning in early-March, the world experienced an unprecedented shift to working from home. This resulted in two significant transformations. First, organizations suddenly found themselves with the need to deploy real video conferencing on a massive scale. And second, the threat of video conferencing security dangers quickly became a top issue in the UC world. But there was a problem:
- IT was not ready. A recent survey found that 85 percent of companies believe embracing the public cloud is critical to fuel innovation. But 40% of those who already adopted public cloud has a cloud security management approach in place.
- End-users were not ready. Given the tricky tension between managing risk and managing usability, ease of use easily triumphed. Most end–users either did not know about all the settings that they should have been paying attention to, or they assumed that someone else was managing these things on their behalf on the back end. Technology cannot bridge the gap of user behavior, and most of the real technological harm to individuals comes from people using products in a technically correct but harmful manner.
- And, in many cases, the UC platforms were not ready either.
One issue has been very consistent through both pre and post-COVID-19 – that is that the entire notion of collaboration security has been under-appreciated by organizations. The term “collaboration” means the communication of ideas, concepts, and designs between multiple stakeholders. As such, users are putting everything out there, giving a successful attacker unfettered access to potentially sensitive data.
For instance, the sender may be unaware of all the channel members and may inadvertently expose confidential information to a broader audience than intended, including external participants. If an end–user shares a link to a sensitive document by mistake, they could end up exposing the company to regulatory penalties and the cost of investigating and notifying those involved in the data leak.
How Video Conferencing Security Works
There’s no questioning that security is a crucial part of video conferencing, but what exactly are the key elements of conferencing security and how does it work? It is easiest to split the security aspects up into three key areas: 1) Pre-Call Settings and Policies, 2) Call Data Transmission, and 3) Post-Call Archiving.
- Pre-Call Settings and Policies: A secure and successful conference call starts with ensuring that all the proper settings are deployed (based on a company’s stated security policies). The difference between a “Zoom-Bomb” or an exposed chat thread, is as simple as a few checkboxes. These settings can be locked down by IT or educated to the end-users. All the UC platform providers are becoming increasingly savvy about grouping these settings in easier to understand (and implement) ways.
- Call Data Transmission: During a video conference, data transmission is the most vulnerable area of conferencing security since the data must travel over so many public and private networks to reach its destination. If a hacker attacks a non-encrypted conference call, the conference stream can turn into a private surveillance camera, recording and re-broadcasting corporate secrets and top-secret intelligence.
- Post-Call Archiving: Video conferences are often archived for later use. Since both the media as well as the metadata (i.e., attendee lists, polls, shared content, etc.) information from these video conferences could be sensitive, data storage needs to be secure and separate from all other networks. It is not advisable to use standard computers and hard drives to store video-conference data, since these machines are the most susceptible to intrusion, either from internal or external sources.
Video-conferencing security is not only in a company’s best interest — it is the law. Recent government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act of 2002 require that medical providers, financial institutions and other corporations secure all digital data associated with their customers and patients. That includes all electronic transmissions of personal client data, even video conferences.
The Zoom Canary in the Coal Mine
Fair or not, in the space of weeks, Zoom went from everyone’s favorite stock to buy (and product to use), to everyone’s favorite video conferencing security issue to criticize. Yet, if you do not follow security news, then you might think that the hard-core InfoSec community thought Zoom was secure before the pandemic hit. Not true. As we will point out later in this post, Zoom (like other UC platform vendors) had experienced security issues back in 2019. At the time Zoom seemed to defend their decisions, saying that their customers chose Zoom for ‘frictionless video communications’ and that fewer clicks were the right decision
The difference between the Spring of 2020 compared to last summer is that a whole new set of technology users — students, teachers, family members, and small organizations— are utilizing videoconferencing to run classes, often without any IT or security support behind them. In fact, as of late April 2020 Zoom has more than 300 million daily users (up from 10 million before the outbreak of COVID-19). For many of these new users, traditional messaging efforts around security training have been few or non-existent, and even companies with previously stringent security practices rushed to implement new platforms to allow productivity, leading to hackers and cyber-criminals paradise.
Zoom is also suffering from the meta-threat about the hazards of free. On the one hand, Eric Yuan (Zoom CEO) has shown extraordinary altruism by offering Zoom free to almost everyone during the Covid-19 crisis. But on the other hand, the sudden shift from the office to ubiquitous work from home was a bit too overwhelming. “We didn’t so much move the conference room into our kitchens as into the middle of the public square,” says Riana Pfefferkorn, associate director of surveillance and cybersecurity at Stanford’s Center for Internet and Society. The vast usage tidal wave coupled with Zoom’s security issues has caused everyone from New York City to the European Union to threaten Zoom bans. Additionally, Zoom video conferencing competitors (Cisco, Facebook, Google, Microsoft, and others) have rushed to try to assure and convince customers that their offerings are safer.
Yet, even in the face of these bans, organizations persist in their use of Zoom despite privacy concerns because “other tools just work less well.” When questioned about Zoom, a U.K. government source said, in a line that you could imagine appearing on the Zoom website: “The app was quick to set up between the varying systems used by different government departments.” Zoom was easy to install, and in the current climate, the government needed it to work more than they needed it to be secure. Zoom’s 90-day security sprint culminating in their new Zoom 5.0 release seems to if not “fix” any previous security gaps, perhaps even now put Zoom in a security leadership position.
Further, for IT or department heads looking for the perfect zero security risk video conferencing platform, there’s a danger of sounding like the conspiracy theorist. If you veto Zoom, it becomes your responsibility to find an alternative. As we’ll note later in the post, in spite of what they’d have you believe, most of the competitors have their own set of issues. It’s easier to submit to peer pressure when someone says, “shall we use Zoom as we know it works?”
The reality is most casual users will never experience any security problems with Zoom’s, and so the issues become difficult to care about in practice. In fact, in a recently completed survey, Zoom jumped from the 10th most popular video conferencing platform in 2019 to 2nd place in 2020, running only just behind Cisco Webex Teams.
Video Conferencing Security Loophole Specifics
Nevertheless, the security issues for any conferencing platform are real. Let us examine the top security issues of the day. The blame for almost all problems is not solely IT, the end-users, or the UC platform vendors. There is a shared responsibility for learning and execution that needs to happen across the board to secure video conferences.
- SECURITY SETTINGS: Service security measures are never foolproof. All the top UC conferencing platforms are too complex to navigate the many bells and whistles. For example, Zoom quickly changed its default settings to make Zoom bombing less common. All meetings now require passwords by default. In addition, all meeting participants must enter a “Waiting Room” until the host allows them to join. It’s not like Zoom didn’t have these control knobs available earlier, IT either didn’t enable them as the default or educate users about how (and when to use them).
- POLICIES: For emerging technologies, the conventional IT impulse is to lock down/discourage adoption until the organization fully understands the risks; however, this impulse isn’t feasible, because business adoption (particularly in times of ‘crisis’) isn’t only a security decision. Gartner advocates instead, “a Zen mindset that intertwines well-defined policies with rigorous meditation and self-control on the part of IT.
- PHISHING: Apart from exploiting security bugs, cybercriminals have other attack vectors when it comes to collaboration. Apps like Slack, Microsoft Teams, and Zoom have chat messaging components that can be used for phishing attacks. These phishing attacks include stealing credentials and delivering malware payloads through links and attachments, just like email.
- RECORDINGS EXPOSURE: Any number of different security misses can inadvertently make recordings public. Lack of complex password or default password requirements, non-existent policy regarding recordings could lead to data leakage.
- POTENTIALLY REVEALING TEXT CHATS: If a host records a conference call locally, it will include any private chats between that host and other participants alongside the meeting video. If the host subsequently shares the entire meeting folder with colleagues, the contents of those private chats will get exposed.
- MEDIA ROUTING: Media in transit usually refers to any audio/video/desktop share streams during the meeting. Customers typically have the option to customize which data center regions to use for real-time meeting media. These customizations can happen at the account, group, or user level. In addition, they allow for both opting out of specific data center regions and opting into specific data center regions.
- END-TO-END ENCRYPTION: For conferencing platform vendors to offer features such as transcription and recording, facial recognition, echo cancellation, noise reduction, or audio mixing, they must be able to unencrypt video and audio data to analyze and/or massage it. The typical model for encryption among meeting applications is data at rest (on the provider’s servers) and in motion (e.g., endpoint to server). Most platform vendors have gaps in their offerings related to either complete end-to-end encryption and/or the ability for customers to manage their own encryption keys as standard in their services. Many of the vendors publish transparency reports that list government requests for data. Most of the vendors now offer secure AES 256-bit GCM encryption. This provides increased protection of meeting data in transit and resistance against tampering. It is important to note though that platforms can’t usually extend encryption to the legacy telephony networks. In addition, a lot of desk phone devices still don’t have firmware and hardware that will support secure encryption.
Collaboration platforms risk exposure beyond Zoom
Zoom has lately been the recipient of all the conferencing security flak. However, Slack, Cisco WebEx Teams, Google Meet, and even Microsoft Teams, are certainly not lacking in security functionality gaps. Let us do a quick run-down of examples where some of the best-known UC platforms have shown exposure areas:
- Cisco Webex Teams: In March 2019, Cisco patched two high-severity vulnerabilities in the video-conferencing platform. If exploited, these could have allowed an attacker to execute code on affected systems. And earlier in the year, they fixed a bug that would otherwise allow unauthenticated users to join password-protected meetings.
- Slack: Also, in March, a critical vulnerability was found in Slack, which could allow automated account takeovers (ATOs) and lead to data breaches. Additionally, although Slack is the overwhelming leader in AppStore “integrations”, this also leaves them exposed. There have been instances where an attacker has created a Slack add-on that advertises some excellent features but also reads channel data once end-users install the app.
- Houseparty: It appears that when you start a “house party”, anyone in your contacts can join. However, it is possible to “lock” a room once the people you want to be there are in it. It also has questionable privacy policies and collects a lot of anonymized end-user information, which it can then re-sell.
- Google Meet: The remodeled Meet solution features a 25-character string for meeting IDs. It also restricts external participants to join a meeting 15 minutes before the meeting starts. However, it does not yet offer full encryption.
- Microsoft Teams: For the time being, Microsoft seems to be winning the communications war–related to conferencing security. Their current reputation may be due to better security settings, enterprise security experience, or simply a better PR effort. They do boast many of the security settings & features that other platforms are now starting to deploy or consider. However, just yesterday (on April 27th) it was revealed that in the early spring of 2020 Teams had a security flaw that would allow a ‘malicious GIF’ to steal user data across an entire company. Additionally, some customers are still looking for Teams to implement some advanced security features previously valued in Skype for Business. Some of these features include enabling virtual lobbies for participants and locking certain features while still allowing for individual customizations. Additionally, Microsoft is needing to keep up with security innovations and updates to avoid facing similar criticism as Zoom. Upcoming changes for Teams meetings later this year include setting company-wide visual content-sharing privileges and host capability for changing lobby. Other features worth noting include settings preventing external guests from seeing telephone numbers and downloadable event attendee reports.
Ironically, one unintended consequence of all UC platforms vendors’ efforts to respond aggressively to the security needs of their customers is that this speed has, in and of itself, created issues. For example, when Zoom began to change its security default settings aggressively, it did it too quickly. Therefore, it failed to allow for time to inform its customers in advance. Such quick responses without proper notice left IT teams scrambling to incorporate the changes in their policies.
Top 10 Checklist for Video Conf Security Etiquette Success
Both IT and end-users need to keep a core list of Video Conferencing best practices in mind. This renewed and hyper-vigilant form of digital workplace dexterity is essential. No matter if you adopt a Zen approach to security or have an Orwellian degree of conferencing governance oversight.
- MONITOR & TRACK METRICS: Keep track of relevant metrics related to conferences, which will be critical to help create policies and enhance user satisfaction. Some examples of metrics to track are meeting host “champions”, the number of guests, guests joining meetings most often (and from where), user and admin anomalous behavior, accounts inactive over the past month, internal users joining as guests, etc.
- DEPLOY POLICIES: Create and deploy strong policies across the organization. This will ensure that all or most of the following steps become the default behavior and usage patterns. As an example, make meetings automatically end after a specific time or if only one attendee remains.
- PROTECT & VERIFY MEETING LINKS: Passwords can usually be set at the individual meeting, user, group, or account level. Avoid publicly sharing full meeting links. When you receive a meeting invitation, verify that it’s from a known, trusted sender.
- DON’T SHARE PERSONAL IDs: You should not use your personal meeting ID. This could pave the way for pranksters or attackers that know it to disrupt online sessions.
- AUTHENTICATE & TRACK USERS: When creating a new event, you should choose only to allow signed-in users to participate. Eject participants from meetings if an intruder can get in or becomes unruly. Turn on the play sound when participants join or leave.
- TURN OFF VIDEO and MUTE AUDIO: Starting calls audio/video off prevents background noises or images from intruding on calls. Users can quickly turn both settings back on once they have joined.
- SOMETIMES DISABLE JOIN BEFORE HOST: For meetings with external guests, do not allow others to join before the host. However, for internal meetings, allowing users to join before the host saves time in case the host is late.
- USE WAITING ROOMS: The host can use waiting rooms to screen participants before allowing them to enter a meeting.
- AVOID FILE SHARING: Monitor the file-sharing feature, especially for external users sending potentially malicious content.
- DOUBLE CHECK CONFIDENTIALITY: Be sure you are not accidentally sharing or recording anything confidential on your laptop or in your background. Virtual backgrounds can prevent others from seeing sensitive information. Disabling screen sharing (without the approval of the host), prevents accidental or purposefully malicious shares. Getting permission before recording is essential as, depending on the state or country, it may be the law.
How can IT augment UC Conferencing platform security?
So you have better end–user training, more comprehensive governance, and enhanced UC Platform provider feature sets in place. What else can you do to bolster conferencing security? The answer lies mainly in the form of 3rd party specialty tools.
One great example is security extensions, an example of which debuted on April 16th from education ISV Gaggle, who began shipping Safety Management for Teams, which provides support for schools and districts by monitoring student communications for warning signs of crises.
For IT leaders who specifically want to zero in on Zoom in the short term, Unify Square has recently begun offering two new tools. The first is the new Zoom Security Report. It leverages our AI/ML expertise to target many of the tracking metrics (and more) described earlier.
We are offering customers a 30-day free trial to detect abnormal behavior. Among other things, the trial offer can check if Zoom endpoints are adequately patched into the right service level. The other new offering is our PowerSuite Shadow IT Scout. Shadow IT Scout examines communications patterns, meeting invitations, etc. It identifies Shadow IT usage in an organization related to UC platforms. Much of this usage (especially related to Microsoft Teams and Zoom) is not at all malicious. It is simply the result of the rapid COVID-19 growth spurt.