Video Conferencing Security Challenges and Ways to Address Them
The COVID-19 pandemic forced businesses worldwide to adopt video conferencing as the primary communication and collaboration means for remote workers. While video conferencing platforms such as Zoom, Microsoft Teams, and Google Meet enabled businesses to maintain productivity and communication during challenging times, they also brought new underlying threats. Most of the platforms mentioned had little to no cybersecurity features back then, and soon enough, we started seeing data losses and privacy breaches.
The security threat has been seen on multiple popular platforms, including Zoom, Cisco Webex Meetings, and more. During the Pwn2Own hacking competition in 2021, a major security flaw was discovered in Zoom that allowed hackers to take complete control of a user’s Mac or PC. The flaw was related to Zoom’s screen-sharing feature, which attackers could exploit to gain remote access and execute arbitrary code. Somewhat similar vulnerabilities discovered in Cisco Webex Meetings in 2020 allowed attackers to secretly join meetings without being detected.
Video conferencing security threats are increasing, and decision-makers are concerned about nation-state threats as these platforms can be compromised by attackers trying to steal valuable data. For example, according to a recent IBM breach report for 2022, the average cost of a data breach in the US alone is now $9.44 million. Considering these costly risks, how can video conferencing solutions providers better spot key security threats and address or rather prevent them?
The Biggest Video Conferencing Security Challenges
Businesses must recognize the threats to video conferencing safety and take steps to mitigate them — ensuring secure video communication. Three of the most significant threats video conferencing platforms face today include hijackings by uninvited parties (also known as “Zoombombing”), data leakages, and privacy shortcomings.
Hijacked Conversations
“Zoombombing” refers to the unwanted and disruptive intrusion into video conferencing calls, particularly through the Zoom platform. Attackers can gain unauthorized access to Zoom meetings and disrupt them by sharing inappropriate content or causing other disruptions, which can significantly harm the reputation of businesses.
One example of Zoombombing occurred during a virtual town hall meeting in which a school board discussed distance learning plans. An unauthorized individual joined the call and began shouting racial slurs and offensive comments, causing distress to the participants. The threat became serious enough to be recognized by the FBI, who issued warnings about the practice. These threats can compromise the security and confidentiality of video conversations, putting sensitive information at risk.
Data Leakages
Data leakages refer to instances where sensitive information is unintentionally or deliberately exposed to unauthorized parties. In video conferencing platforms, data leakages can occur when video calls are not appropriately secured or when user information is mishandled. This can result in reputational damage, legal and regulatory implications, and financial losses.
One of the cases in point happened in April 2020, when it was revealed that Zoom had inadvertently shared user data with Facebook without obtaining proper consent, highlighting the potential risks of data leakages in video conferencing platforms.
Privacy Shortcomings
Privacy shortcomings are the deficiencies in protecting personal information and data privacy in video conferencing platforms. Inadequate encryption of user data, mishandling of user information, and unauthorized access to personal information are just a few examples of privacy shortcomings. The harm caused by them can be quite influential, potentially resulting in identity theft and reputational damage.
For instance, in the March 2020 case of the Zoom iOS app sharing user data with Facebook, the transferred data included information about the user’s device model, carrier, time zone, and city. This caused significant controversy, highlighting concerns over the mishandling of user data and privacy in video conferencing platforms. Zoom overcame this by releasing a statement acknowledging the issue and releasing an updated app version that no longer shared data with Facebook.
With these threats appearing or having previously appeared on video conferencing platforms, it is a must for businesses to overcome them by taking simple yet meaningful steps to ensure privacy and security.
Strategies to Tackle and Prevent Security Threats
To address the security challenges enlisted above, we have conducted five strategies for video conferencing platform owners aimed to ensure safe online communication. These strategies range from protecting meetings, calls, and chats from unauthorized access, ensuring safe storage of recorded content, implementing reliable authentication methods, and establishing policies and controls to safeguard private data to conducting regular security audits and scanning for potential security threats.
Encrypting, Audio Signature, and Watermarking
One way to protect video conferencing calls is through encryption, audio signature, and watermarking. Encryption ensures that only authorized parties can access the conversation, preventing unauthorized interception and eavesdropping. Audio signature and watermarking add unique identifiers to the audio stream to help authenticate the source and prevent tampering or modification of the content.
Zoom, for example, uses an audio signature that adds a user’s personal information as an inaudible watermark to recorded meeting audio. This helps Zoom identify who recorded the meeting if the file is shared without permission. Another measure they take is a watermarked screenshot — overlaying an image of a meeting participant’s email address onto the shared content and video of the person sharing their screen. Google Meet also supports encryption measures to secure data and privacy. Encryption is applied to all data in transit by default in video meetings on web browsers, Android and iOS apps, and Google meeting room hardware. Additionally, Meet recordings stored in Google Drive are encrypted at rest by default.
Safe Recording Storage
Another method to protect video conference recordings from unauthorized access and theft is safe recordings storage. Video conferencing platforms can use encryption and other security measures to safeguard recordings stored in their servers. For instance, Zoom protects its cloud recordings using Advanced Encryption Standard (AES) encryption. Only authorized users with appropriate credentials can access and download these recordings.
MFA and 2FA
Reliable authentication methods such as Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA) can add an extra layer of security to video conferencing. MFA requires users to provide two or more forms of authentication to access their account, such as a password and a fingerprint scan, while 2FA considers two forms of authentication, such as a password and a verification code sent to their phone. This can help prevent unauthorized access to video conferencing accounts, as it makes it more difficult for attackers to gain access even if they obtain a user’s password.
In 2023, Zoom launched Okta Authentication for End-to-End Encryption (E2EE) to verify the identity of meeting participants. This feature allows organizations to use Okta’s MFA to securely authenticate Zoom users and ensure that only authorized participants can access the E2EE-encrypted meetings. Another example, by a Zerify solution, involves out-of-band MFA to secure video conferencing. This method involves sending a one-time password (OTP) to the user’s phone, which they must enter to verify their identity before accessing the meeting. This adds an extra layer of security beyond just a username and password.
Policies and Controls to Safeguard the Private Data
Policies and controls are the procedures and protocols placed to safeguard private data during video conferencing. In Forbes’ 2021 article, which suggests businesses prioritize data security and take proactive steps to protect sensitive information, the author insists that it is mostly the businesses at risk since they usually take the hit rather than the consumers. Hence, it is essential for businesses to adopt policies and control measures to safeguard their private data shared via video conferencing.
Regular Security Audits and Scanning the Solution for Security Threats
This strategy involves ongoing monitoring of the video conferencing solution to identify and mitigate potential security risks. This process consists of conducting periodic vulnerability assessments and penetration testing to detect any security vulnerabilities and assess the effectiveness of existing security controls. The audits include penetration tests, QA measures, intrusion detection, and software security reviews.
If you are looking for more information on video conferencing security and overall video industry-related expertise, check out DataArt’s Video expertise page and learn more about how we can help your business navigate the challenges the video industry faces today.
Author: Max Kalmykov
Vice President of Media and Entertainment Practice at DataArt
Originally published on https://www.dataart.com/blog.
