Should you be concerned about the security of your video conferencing platform? //13.09.20
Should you be concerned about the security of your video conferencing platform?
In 2020, I live on Zoom, Facetime, Teams, On24, and I’m sure you do too. In fact, there are probably 50 other possible platforms that you find yourself joining and leaving. Some of these solutions are embedded corporate tools, and others have plugins, apps or special equipment to install. But as you use these platforms, do you consider the security ramifications, or do you believe that your security team or telecoms team has that under control?
As we have become more and more used to being on video the entire day, we accept the positives and negatives that come with it. But outside of general advice we’ve been given over the years when it comes to over-sharing or environment appropriateness, what additional risks exist in the world of video conferencing?
Building a threat model
There are three types of video systems that I consider when building my own threat model for whether I should consider non-traditional security controls when I’m using a system. They are:
- Consumer/app services: Facetime, WhatsApp, WeChat and Snapchat, for example.
- Corporate integrated systems and unified communications systems: Polycom, Cisco Telepresence, Microsoft Teams and Jabber, for example.
- Global subscription video platforms: Zoom, Blue Jeans, GoToMeeting and Hangouts.
As with any system, what you do with it matters most. Best practice tells us that we shouldn’t have highly confidential meetings in the middle of a coffee shop, just like best practice tells us that we should probably consider additional controls when we want to protect that highly confidential conversation.
Consumer app services
The most widely used of the bunch, consumer video applications let you have quick calls with your contacts on iPhone. These applications have security wrapped around the conversation stream (encrypted communications) but often have an exposure to the device itself or the creator of the application.
The most likely risks with these applications include people eavesdropping on your conversation, the security of your mobile device (Android especially), and the perceived or real access that the creator of the app has to your content. Many are concerned with WeChat conversations moving through China, so if you don’t want someone to listen to your conversation, these apps are likely not secure enough.
There are applications out there like Signal that have end-to-end encryption, but the security risks still exist on the endpoint and where you are when you have the call.
Steps that you can take to maintain your security is to enable all security settings, only send content to those that you trust and be aware of your surroundings. Connecting to public WIFI to have your video call might open you to additional threats, so be aware.
Corporate integrated systems
Many of us remember the days of wiring up conference rooms for the first time with internal-only networking, point-to-point network connections, SIP Trunks and the whole host of telephony and interconnected management systems that made it all work. As a security person who threat modelled these sorts of installations, I had to worry more about physical access and the failure of firewalls than any other attack vector. These rooms were not on the public internet, so most of the external attacks were already mitigated. Only people who were already connected to the corporate address book could connect, and there were no guests allowed. In fact, there was no way to connect to these systems outside of the corporate network. We did this because it was the most secure way to protect the privacy of the meetings.
Most of the equipment in these installations must be security tested by a professional vendor, comply with regulatory standards (especially medical, government, public company) and be integrated by an authorised provider. These security controls were stringent and directly controlled by the company and the vendor. The biggest security risk was eavesdropping by employees who weren’t supposed to attend sensitive meetings.
As cloud management of these environments became more prevalent, direct connectivity over the internet was engineered, additional attacks surfaced around these management consoles and connections where we were suddenly interested in financial fraud, misconfigurations, attendee leakage, and recordings ending up in the wrong hands.
As these technologies matured, so did the ability to add multi-factor access, create point-to-point VPN/SIP integrations, directly integrate with SSO environments and encrypt/protect the backups of critical meetings. Some services even have unique encryption keys per participant, making it very secure – but very difficult to manage as a centralised corporate entity.
Still, these communications systems required the use of corporate managed fat-clients, VPN or being physically present on the corporate network. It was security the traditional way: leave a soft squishy centre of a network and protect the outside with physical and logical access controls.
Global subscription platforms
In 2020, everything changed. As Microsoft’s CEO Satya Nadella stated, we’ve seen “two years’ worth of digital transformation in two months”.
Zoom, the largest subscription platform by user base, experienced a meteoric rise while many other telepresence and work-from-home platforms saw a huge increase in use.
These applications – now installed on personal devices and used from non-corporate spaces – were used whether they were secure or not. People followed the masses and the applications often had to play catch-up with fixing real or perceived security threats.
Zoom had several visible security exposures, which were improved within a series of security projects as part of its 90-day plan. We can learn from the progress Zoom made and extrapolate it into the areas that you should be concerned about when using a video platform for sensitive communications.
Securing your video platforms: a practical guide
I like to break down solutions into layers to make it easier to understand the focus areas in these subscription video services, but this could also be applied to any of the above types of video conferencing.
- Surroundings
- If you need to talk about something sensitive, do it in a safe, private and secure location. Depending on your business and your topic, this could be a highly secure build, or a private room in your residence. Eavesdropping is a real disclosure risk, so take care and pay attention to those around you.
- Content
- The data that you share can be viewed, saved, or backed-up by any participant. If you’re sharing sensitive content, you should make sure that only those authorised are at the meeting and that any special security are met. Remember that you can’t prevent the recording of screens or content on most devices, so accept that any information that you show can be copied.
- Device security
- If you’re using a device to transmit video – a webcam, embedded communication device, standalone equipment, or even a phone – you must make sure that the device hasn’t been tampered with. Hiring a professional security company to analyse your hardware can ensure that it securely transmits information, stores encryption keys appropriately and is as tamper-proof as needed.
- Communications protocol
- Securing your communications is probably the number one thing to do, and usually the easiest as this is taken care of by the provider themselves. Some solutions have true end-to-end encryption, or recipient-to-recipient communication. This gets difficult, with multiple people talking with each other as there is a significant challenge in encryption key sharing among multiple participants to ensure fully encrypted solutions. Make sure that the fully-secure settings are always enabled on your endpoints to protect your communications from man-in-the-middle attacks.
- Recipient
- Are the wrong participants joining your meetings? Have you been Zoom bombed, or have you seen a leak following an important meeting? You might want to look at who is in the meeting, use special passwords, or even build additional audience validation into the attendance. We know that organisations like the World Economic Forum use some forms of automated and manual verification of participants due to the sensitivity of the content
- Commit/storage
- Don’t record a meeting unless you have to. If you have to record a sensitive meeting, manage your console, backup and passwords appropriately. It doesn’t do any good to protect the entire video chat if you’re going to just download the recording and leave it unprotected on a corporate or personal share drive.
- Ongoing integrity
- It’s one thing to configure your settings the first time but you should periodically make sure that nothing has gone amiss after major software upgrades or after patches to your infrastructure. Many tools change settings back to defaults during major updates or re-installations.
As you work through your use of video technology, it’s important to consider the sensitivity of the content as well as the sensitivity of the participants. If possible, and the meeting is extremely sensitive, you probably want to be in the same place. If you simply can’t do that, you need to make sure that your endpoint, communications stream and configurations are secure, verify your participants and not leave sensitive materials laying around.
Many of these items you should be able to do as a user of the tool, but sometimes you’ll need help from your IT or cybersecurity departments. They are responsible for your endpoint, and maybe the standard configuration of corporate tools. You are responsible for being aware of your environment and attendees. And as one popular saying goes, if you see something, say something.