Video conferencing security: Through the back door
Software such as Zoom and Teams have kept us all working, but the popularity of these platforms has made them a target for hackers. Should we be worried about how secure they are? Paul Milligan looks for answers.
Video conferencing has rarely been out of the headlines since the Covid-19 pandemic struck earlier this year. Can you imagine someone saying that in 2019?
The technology is having its moment in the sun. Much like Sars, Bird Flu and the Ash Cloud before it, during Covid-19 we all found out how vital video conferencing is when travel becomes impossible.
Those selling VC systems for the past decade were finally having their ‘told you so’ moment. Microsoft announced that Teams usage had grown 894% over a 3-month period, while Zoom said their service was up 677% over the same period. So far so great right? well, not quite.
The first wave of hugely positive VC stories focused on how a huge myriad of businesses were able to work as they had before, all from home offices/kitchens/spare rooms, thanks to the likes of Teams, Zoom, Skype and Google Meet. As we know with the media, what goes up often comes down, and what followed was a slew of very high-profile stories on how some of these systems were full of security flaws.
We were introduced to the term ‘Zoom-bombing’, in which hackers were infiltrating video meetings to show offensive content or shout slurs or threats. A series of reports highlighted that Zoom meetings, which are accessed by a short number-based URL, could be guessed by hackers.
This wasn’t helped when UK prime minister Boris Johnson was photographed during a cabinet meeting holding a piece of paper with the meeting ID clearly identifiable.
Zoom was also forced to apologise as all calls were being routed through China causing several western governments to express grave concerns about the software being used for spying and surveillance purposes. The security of VC systems was now front-page news. Further on this summer another report found a security flaw within Zoom gave hackers access to users’ laptop cameras and microphones, and even allowed hackers to start video call on a Mac without their consent.
Zoom was also forced to apologise for falsely claiming it provided end-to-end encryption when it didn’t, and for sending data to Facebook without permission from users. In July six data authorities sent an open letter to the VC industry ask providers like Zoom and Microsoft to review their privacy, security and data protection policies.
The letter read, ‘The principles in this open letter set out some of the key areas to focus on to ensure that your VTC offering is not only compliant with data protection and privacy law around the world, but also helps build the trust and confidence of your userbase.’ They have given the VC industry until 30 September to respond.
Clearly there is some work to be done here to make these systems secure, but also to put people’s minds at ease that the systems they have chosen are safe from harm. We tried to get comment from Microsoft and Zoom for this article, but both declined to be involved (take from that what you will). So we spoke to consultants and system integrators on the front line to ask if security within VC systems was strong enough, whether attacks were on the increase, whether SIs and IT teams were on the same page, and whether there was a trade-off between the easiest to use VC systems and the most secure.
We began by asking if they felt current video conferencing systems were secure or could more be done in that regard? More can be done says Dan Portman, managing director, AVworx. “It starts with business owners taking cyber security seriously enough to invest correctly.” The consensus is that security is an ever-moving target, so it’s never a job that can be ‘completed’ per se, especially now as VC, like the rest of the AV world, is moving from a hardware model to a software model. To be secure you can always do more.
“The systems from the major vendors are actually quite secure if they’re set up correctly, what we do see is that software systems are more plagued with vulnerabilities, because of the nature of those systems,” says Georg Thingbø, CTO, Kinly.
“I think there’s a couple that could improve upon their standards, they have good encrypted transportation but they are not end-to-end encrypted and therefore, whilst they provide levels of security that’s adequate for many applications, it’s perhaps needs to be considered in more secure environments,” adds Steven Rushton, AV consultant, PTS Consulting.Are these stories a mere case of clickbait, or are attacks on VC systems actually on the rise? “I think there is a huge increase going on. Both state-driven and by opportunists. They’re coming from both the network and also the platform,” says Portman.
One issue evident here is that internal IT teams and integrators/consultants often come at the video security topic from different angles. “Most IT departments are turning to Microsoft Teams, which is a great, secure, UC platform, easy to deploy for those using Office365 but it does have its limitations. This is where integrators/consultants need to be honest with their clients and advise and potentially offer either a bridging facility or a complete secure UC platform that ensures information assurance, in a simple intuitive way, which in itself encourages user adoption quickly,” says Portman.
IT and AV teams think differently and act differently when it comes to security says Thingbø. “I think IT departments normally focus on firewall breaches, software exploits, and they use standardised scans. Integrators have more focus on unwanted participants in the meeting, where’s the camera position? Can you see stuff that you’re not supposed to see in that field of view of the camera? What can microphones pick up if they are in the wrong place? Integrators can be better at the software/IT side of things, and IT departments can definitely learn more about the physical aspects of a meeting space.”
It can depend on the size of the client explains Daniel Fattorini, AV services director from transACT, “It’s undoubtedly more difficult to focus on the individual in larger organisations and in IT teams there’ll be people whose only job is work on layer two, so people become more and more siloed and people have a smaller remit over a larger network, so I think among the larger organisations there is a challenge to see the bigger picture.”AV consultants/integrators are often tasked with choosing and then installing a rollout of a VC system across a company. In those first few meetings is security the number issue for clients? More often than not the answer is no.
“A client will never say my number one thing is security. It’s almost like saying tyres are the number one priority for my car, but you need that security in a VC system,” says Rushton. Security falls down the list confirms Thingbø, “Price is the number one issue, then capabilities and ease of use and then security, which is almost taken as a given, it feels likes ‘if you’re delivering something to me, it’s your responsibility to make sure it’s ecure’.” This reaction was echoed by nearly everyone we spoke to, as evidenced by Fattorini, “I think now there’s an increasing vagueness particularly where people are relying on Teams and the security is effectively down to Microsoft rather than the integrator.”
This aspect is the crux of this whole issue, if we can’t convince clients to think differently about security, then how will things improve? “You get an awful lot of people that just don’t understand security. When it comes to a network or a VC system, to them security is having a bolt on the front door, they don’t care about how it works at the back end,” adds Portman. It’s clear increased attacks are targeting IT networks and VC systems, so it’s crucial the AV industry knows how to respond. What security protocols would SIs and consultants recommend once an attack is underway? “We will isolate what we can as quickly as we can, our support desk is in a position where we can literally shut down that client very, very quickly and isolate and collect all the logs, security logs etc,” says Portman.
You need to take in a range of factors and consider the whole picture when it comes to security says Rushton, “You need to think about the pre-call settings - are you forcing people to wait in a meeting room? Why do you want them sitting in a virtual foyer? Because actually you can then control who’s coming into the meeting. You have to think about your core data transmission, how’s that working? If you’ve got a video call and it’s end-to-end encrypted, that’s great, but if someone dials in from a phone system, some phone systems aren’t necessarily on to the latest firmware and the latest encryption, so that becomes a vulnerability."
Rushton’s point there is an important one too, is the difficult aspect of video security that we can’t control who or what is at the other end of the call? “There are things you can do to mitigate against people, but ultimately, if you’re not in control of a point in the middle, if there’s an attack point in the middle or something at the other end, you can’t say what’s going to happen to that,” says Rushton.
It’s a trade-off says Thingbø, “If you want to have a seamless b2b/b2c communication form you need to have it open, there are technologies to lock it down, but then it becomes too cumbersome for the users.” Speaking of trade-offs, is there also one between having the easiest to use video conferencing systems and the ones that are most secure? “There’s always going to be a trade-off, it’s just the way you handle it and what level of risk you’re willing to have in the business you’re in,” says Thingbø. The drive now from PTS and other consultants is about the user experience adds Rushton.
“It’s got to be easy to use. What do I want from the system? I want it to be secure, but I also want to be able to walk in the room and have a green button that says go and know it’s secure.”Providing security in this day and age where everyone and everything is connected is always going to be difficult. Being connected helps us communicate and keeps us working but also leaves us vulnerable.
We can all put policies in place to protect our data and privacy, but as Covid-19 has shown, it’s a nasty surprise lurking around that corner that cause havoc, as this final quote from Kinly’s Thingbø sums up perfectly; “Everything has a risk profile, nothing is really secure, and everything will eventually possibly break. The difference is, do you have a process or the resources in place to handle an unknown event? if you have that, because you always must plan for the unknown, you are more prepared. That’s the thing with security, when security is broken it’s normally because someone has done something you haven’t thought about. But, if you have processes in place for unknown events, you have a much higher chance of dealing with such an event, and that’s probably as prepared as you can be."