Cyber risks of Video-conferencing apps like Zoom, popular with professionals working from home globally

Video conferencing apps like Zoom have become popular with professionals working from home globally, who are using it for virtual meetings, presentations and calls.  Millions of people have turned to the app as they work and study from home amid the global lockdown. In India too it had become the top app in India on Google Play store following the lockdown induced by the Covid-19 virus outbreak. Zoom app’s main selling point, is that it offers free, 40-minute conference calls with up to 100 attendees. It’s easy to use — people don’t need a login to access a meeting — and the interface is relatively intuitive. However, those same features put people at risk.

When any technology sees its popularity increase quickly, the number of bad actors taking advantage of new and untrained users also grows. The world is seeing this now with videoconferencing services and applications, as reports about the popular Zoom app being hijacked — known as “Zoom-bombing” — have surfaced. India’s nodal cyber security agency has warned users of video-conferencing app Zoom that it is prone to cyberattacks. This came following instances of leaked passwords and hackers hijacking video calls midway through conferences.  A virtual conference of the Broadcast Audience Research Council had to be stopped midway because of a “hacking” episode where miscreants took control of chat windows on the app.

The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. In late March 2020, a Massachusetts-based high school reported that while a teacher was conducting an online class using the teleconferencing software Zoom, an unidentified individual(s) dialed into the classroom. This individual yelled a profanity and then shouted the teacher’s home address in the middle of instruction.

Cybersecurity researchers have warned that security loopholes in the software could allow hackers to eavesdrop on meetings or commandeer machines to access secure files, and traffic from some users has been routed through data centers in China. While Zoom offers end-to-end encrypted chat—meaning only the participants in the exchange have access to the contents of the messages—its video calls are not encrypted in the same way by default. In 2019,  Zoom had a flaw that allowed hackers to turn on someone’s webcam without their consent, and without them noticing. On top of that, when someone had the Zoom app closed and even uninstalled, the software left a web server up and running, allowing for an automated install of the app if someone invited the user to a Zoom call. Finally, Zoom makes it really hard for you to join calls without installing the app, even though that’s possible.

“Insecure usage of the platform may allow cyber criminals to access sensitive information such as meeting details and conversations,” Indian Computer Emergency Response Team (CERT-In) said in an advisory. “The rapid uptake of teleconference platforms such as Zoom, without proper vetting, potentially puts trade secrets, state secrets, and human rights defenders at risk,” researchers at the University of Toronto’s Citizen Lab wrote.

While hijacked meetings are disruptive and disturbing for participants, a more insidious threat is intruders who lurk in meetings without revealing their presence — a nightmare for corporate security and individual privacy alike. This can also create cyber threat of leakage of sensitive information to the adversaries. Thousands of private recordings of Zoom meetings have been discovered on the open web, according to The Washington Post. As more of its employees shift to working from home due to the COVID-19 pandemic, the U.S. Department of Defense is warning workers to take security precautions to guard against potential hackers. DOD soon will issue detailed guidelines to employees on how to protect personal identifiable information and sensitive departmental information, said Dan Walsh, the deputy director of the Pentagon Force Protection Agency.

Taiwan barred all official use of Zoom, becoming one of the first governments to impose an outright ban on the popular video-conferencing app over mounting security concerns. Zoom routed data through servers in China and used developers there, according to Citizen Lab  report. Any official data being routed through China poses a major risk for Taiwan. Beijing claims the self-ruled island as part of its territory, and threatens to invade if Taiwan moves to make its independence official. Taiwan isn’t the first to take such action. Elon Musk’s SpaceX and New York City’s Department of Education have already banned its use.

FBI proposes Cyber Security measures

As individuals continue the transition to online lessons and meetings, the FBI recommends exercising due diligence and caution in your cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:

• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screensharing options. In Zoom, change screensharing to “Host Only.”
• Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.

Cyber security of Videoconferencing apps

Video conferencing software and hardware should feature 128-bit Advanced Encryption Standard (AES) protection. Logically unbreakable, 128-bit encryption is a security measure that enables video conferencing systems to use a 128-bit key to encrypt and decrypt all video calls between systems. The keys are automatically generated at the beginning of each video session, and according to research, are so strong, it would take a supercomputer one “billion billion” years to breach a 128-bit AES key.

Most security-minded video conferencing systems use single sign-on (SSO) for user authentication because it greatly reduces the risk of user credentials being lost, stolen or compromised. Because SSO credentials are tied to a user’s authorization and entitlements profile, IT can track where, when and how credentials are used. Better still, in the off-chance credentials are compromised, IT can quickly determine which video systems were breached, what occurred during the breach, and lock the system to control damage.

Video conferencing providers that take a domain-based approach to security are ideal in that they allow people to collaborate in a secure and well-controlled environment, according to  Sara Moseley of Highfive. Whether managed by the video conferencing provider or in-house by IT, domain-based security enables the system administrator to control access to video conferences by assigning various levels of permission to users. For example, if your video system uses domain-based security, an outsider who attempts to start a video call with someone in your company must wait until a user with the required permissions signs on and grants that person access. Data security firm, Rapid7 recently conducted a business vulnerability study and found that there are two primary mistakes most companies make when installing video conferencing equipment. The first mistake is connecting it directly to the Internet without using a firewall. The second is setting it to automatically answer incoming video calls, which provides remote intruders with easy access, writes Sara.

Zoom alterntives

Many Zoom alternatives  are available from  FaceTime, Microsoft, Google, Cisco,  Logmein, an open-source option, and more. FaceTime offers a great experience and full end-to-end encryption but unfortunately, it’s limited to Apple devices. Skype is a nice cross-platform option. It’s free, has a much better track record than Zoom for security and privacy, and is owned by Microsoft. If you need a more business-focused solution that integrates more than just chat, Microsoft Teams is a viable option. Here you’re getting chat, video calls, and integration of Microsofts other software products to collaborate. Naturally, this is most conducive for businesses who are already using other Microsoft software products like Office 365. Cisco Webex, TeamViewer, GoToMeeting, open-sourced Jitsi  options would be more comparable to Zoom as they are independent of software suites from Google or Microsoft. Highfive’s high-quality, all-in-one, HD video conferencing devices enable people to connect quickly, easily, and most importantly, through secure video conferencing. Featuring 128-bit AES encryption technology, single sign-on access, and domain-based security,