Although videoconferencing has been steadily increasing in popularity over the last decade, 2020 has undoubtedly seen an explosion of use. Local, national and international restrictions on travel, work and even going outside have severely disrupted life for most of the world in the past few months. Videoconferencing apps like Zoom, Microsoft Teams, WhatsApp and FaceTime have offered solutions for working remotely, continuing school courses and staying in touch with family. The growth has been so overwhelming that Zoom went from 10 million daily users in December 2019 to 200 million daily users three months later.
Not surprisingly, a corresponding rise in hacker activity focused on videoconferencing invasion has occurred. This has led to the term “Zoombombing,” referring to hacking attempts on the most popular video app available today. Users have seen video chats interrupted by inappropriate and offensive music, images and speech.
Consumers and business professionals are understandably concerned about the threat this poses. The possibility of disruption is disturbing enough, but a more pressing concern for businesses is the potential for someone to listen in to meetings and compromise trade secrets or business strategy. Corporations need to ask two crucial questions: what kind of threat are we facing, and how do we mitigate it?
Understanding the Vulnerability
In the fall of 2018, a Google Project Zero researcher named Natalie Silvanovich revealed numerous critical security concerns in the majority of videoconferencing apps available at the time. These specific vulnerabilities were quickly patched, but the disclosure showed that weaknesses were present, and videoconferencing was not as secure as many had assumed.
The technology continued to evolve, but videoconferencing remained a somewhat-unnecessary feature for most business applications as companies continued to prioritize face-to-face meetings and teleconferencing above video.
This context is important because it demonstrates that any technology experiencing a 2,000-percent growth in a single quarter is going to be exposed to security breaches that weren’t previously an issue. For example, while numerous attacks have featured videoconferencing software as a key impact point, vulnerabilities often lie with consumers who had critical security weaknesses other than the video app itself. Some weren’t using the latest version of the software or had not updated their antivirus. These types of threats aren’t typically a concern for an enterprise-level business with up-to-date firewalls and security protocols.
However, there are still concerns with some of the videoconferencing platforms themselves. Dave Kennedy, a former Marine Corps cyberwarfare expert and current CTO at Binary Defense, evaluated flaws with Zoom and stated that most were low- to medium-risk, and he didn’t consider them to be “world ending.” He advocated for a risk analysis that took a user’s activity and purpose into account. For most, Zoom (along with other mainstream video apps) is a perfectly adequate and secure platform. “Most of these exposures wouldn’t even bubble up to a high or critical finding in any assessments a normal tester would conduct. Yet, it has world reaching implications to the masses that don’t understand the technical details. It creates hysteria when it is not needed.”
For their part, Zoom has momentarily halted all feature development and dedicated their engineering resources to focus exclusively on “trust, safety and privacy issues.”
How to Mitigate Vulnerability
Businesses can follow several best practices to minimize their exposure to videoconferencing hacking. The first is to ensure that your software is updated to the latest version whenever a new patch becomes available. These often resolve identified security concerns, nullifying a potential attack vector hackers could exploit. The flip side of not staying up to date is that, when patches are released, they explicitly identify gaps in your software’s armor, so even if hackers weren’t aware of these openings before, they could rapidly take advantage of them if the software isn’t updated.
Companies should place any videoconferencing platform behind a firewall. This negates unauthorized access, removing the brunt of the security burden from the conferencing software itself and transferring it to something that was designed to foil hacking attempts. A complementary security measure is to avoid taking calls from any unknown parties. Work with your administrative personnel to clarify procedures when scheduling video calls outside of the organization: confirm who is going to be hosting the call, and identify all participants who will attend before the meeting starts.
Finally, evaluate the needs of your business with security features in mind. Secure apps that offer end-to-end encryption are available, and the increased expense might be justified for your needs. However, keep in mind that while videoconferencing security is a concern, the majority of the exposure has occurred due to drastically increased traffic rather than gaping vulnerabilities. Be intentional and manage the risk effectively, but keep in mind that there’s little reason to panic.
Moiz Bhinderwala leads the technical services and logistics teams at Dynamic. With more than 10 years of experience in the IT industry, Moiz has deep knowledge of the complex technological landscape, working closely with clients to understand their IT challenges and help design custom technical solutions to meet their business goals.