Cybersecurity Considerations When Video-Teleconferencing
As the COVID-19 crisis fast-forward the work-from-home and study-from-home adoption, many are increasingly using the video-teleconferencing platform. This platform, however, has become the new target by cybercriminals.
What Is Video-Teleconferencing?
Video-teleconferencing, also known as VTC, is a technology that allows two or more people in different geographic locations to conduct meetings or online classes in real-time by using simultaneous audio and video transmission. Video-teleconferencing is often confused with Voice over Internet Protocol (VoIP).
The reason why video-teleconferencing is often confused with VoIP is that video-teleconferencing is often an integral part of a VoIP system. VoIP, which serves as a foundation of unified communications, includes not just video-teleconferencing service, but also voice and instant messaging services.
Microsoft’s Skype, Google’s Duo and Zoom are examples of video-teleconferencing software that can be integrated into a VoIP system. The above-mentioned video-teleconferencing software, however, can also be used independently from a VoIP system. On its own, a video-teleconferencing software can be used using an ordinary computer or mobile device. Video-teleconferencing platform is often used or integrated with a VoIP system for quality video-teleconferencing, that is, for achieving near real-time simultaneous audio and video transmission.
Zoom-Bombing and Other Vulnerabilities
Amidst the COVID-19 crisis, the video-teleconferencing app called “Zoom” rose to prominence.
The British Columbia Ministry of Education recently announced that it has secured and funded licenses for the video-teleconferencing app Zoom for all K-12 public and independent schools in B.C. “This will allow consistent access for educators who choose to use it, giving them more ways to communicate with students and parents,” the British Columbia Ministry of Education said.
A team of researchers at the University of Toronto reported that video-teleconferencing app Zoom uses the “AES-256” encryption method and uses the “ECB mode” that’s “not recommended because patterns present in the plaintext are preserved during encryption”. The researchers also found that while Zoom is a Silicon Valley-based company, it owns 3 companies in China through which at least 700 employees are paid to develop Zoom’s software.
The team reported that some traffic from the video-teleconferencing app was being sent through China even though all participants on the Zoom video-teleconferencing were in North America. “The AES-128 keys, which we verified are sufficient to decrypt Zoom packets intercepted in Internet traffic, appear to be generated by Zoom servers, and in some cases, are delivered to participants in a Zoom meeting through servers in China, even when all meeting participants, and the Zoom subscriber’s company, are outside of China,” the research team at the University of Toronto said.
The U.S. Federal Bureau of Investigation (FBI) reported that as large numbers of people turn to Zoom to stay connected in the wake of the COVID-19 crisis, cases of “Zoom-bombing” – the hijacking of Zoom video conferences – have begun to surface. According to the FBI, in late March 2020, a Massachusetts-based high school reported that while a teacher was conducting an online class using the video-teleconferencing app Zoom, an unidentified individual accessed the online class without authority and shouted profanity and the teacher’s home address.
Another Massachusetts-based school reported a Zoom video-teleconferencing meeting being accessed by an unidentified individual. This unidentified individual was visible on the video camera and showed swastika tattoos.
On March 23, 2020, a security researcher who uses the Twitter handle @_g0dmode said, “#Zoom chat allows you to post links such as \\x.x.x.x\xyz to attempt to capture Net-NTLM hashes if clicked by other users.” Another security researcher Matthew Hickey who uses the Twitter handle @hackerfantastic expounded @_g0dmode’s discovery saying that Zoom’s video-teleconferencing app can be used to steal users’ Windows credentials with no warning.
Zoom, for its part, said that the traffic was “mistakenly” routed through China and the company apologized for this incident. To prevent Zoom-bombing, the company released an update in January 2020 that added passwords by default for meetings and disabled the ability to randomly scan for meetings to join. Last April 1, Zoom released a patch that fixes the vulnerability that allows attackers to steal users’ Windows credentials.
Cybersecurity Best Practices When Video-Teleconferencing
Here are some of the cybersecurity best practices when video-teleconferencing:
Choose a video-teleconferencing platform with a high level of encryption.
High level encryption ensures that the contents of the teleconferences or meetings can’t be stolen by malicious actors.
Use a video-teleconferencing platform that requires passwords or other authentication methods in order for one to join a video-teleconferencing session.
In choosing a platform, find out how data is being handled.
Choose a platform that routes teleconference data within your country or continent.
Apply security updates in a timely manner.
Like any other software, video-teleconferencing applications aren’t perfect. Somewhere along the way, security researchers could discover security vulnerabilities.
These known security vulnerabilities are typically fixed by the application vendors within a certain period of time and released via security updates, also known as patches. It’s important to apply in a timely manner these security updates to prevent malicious actors from accessing your organization’s teleconferences or meetings and from further accessing your organization’s network.
Never share a link to a teleconference or online class on public forums or social media.
Provide the link directly to specific individuals.
Prior to any teleconferences, set rules and expectations.
For instance, instead of sending classified materials during the teleconference, these important materials should be sent via a secure email or courier.
When you need help supporting your systems and making sure your software and data and secured, please connect with our trained and certified IT and security experts by calling (416) 920-3000 or emailing firstname.lastname@example.org During these uncertain time, we are open for business and ready to assist you and your staff mitigate the cybersecurity risks.