The meteoric rise of Zoom as a result of the global pandemic proved that consumers and businesses were able to stay connected when in-person meetings and gatherings became dangerous. However, it’s been proven that Zoom and other commonly used video conferencing platforms have major flaws, which time and time again has resulted in the much-publicized unique Covid phenomenon of “Zoom-bombing.”
Typically, a “Zoom-bombing” incident involves an unwanted meeting guest joining a video call to share inappropriate or offensive content, but this is just the tip of the vulnerability iceberg. The inherent security flaws of these platforms not only give hackers access to meetings in progress, but once a network is breached, these bad actors can easily compromise sensitive and confidential information, previous meeting recordings, as well as a computer’s webcam. These types of incidents have the potential to bring an entire company down
Even as people begin returning to offices we have become so accustomed to virtual meetings that this aspect of “the new normal” seems like it is here to stay. That being said, all of the popular video conferencing platforms like Zoom, Google Meet, Microsoft Teams, Skype, FaceTime, GoToMeeting, etc. have consistently proven to have security issues; most of which are centered around access control or lack of an “Out-of-Band” authentication system, which utilizes two separate channels to authenticate a user, versus an in-band authentication system that uses only one channel and is easily thwarted by a MITM (man-in-the-middle) attack.
Growing security concerns with Zoom
In the wake of the recent Kaseya ransomware attack, it’s not far-fetched to think that hacking groups like REvil will soon set their sights on government targets via Zoom and others, which provide an easy access point to sensitive information. Additionally, hackers are becoming much more sophisticated with their attacks as we saw with the SolarWinds breach earlier this year. It is the duty of the entire public sector to protect national security interests and become educated on these new dangers.
Lately, regional government agencies have started to catch on as the Department of Justice for the Eastern District of Michigan issued a warning against teleconferencing hacking. There was also a warning issued by the FBI’s Boston office regarding teleconferencing and online classroom hijacking.
New York’s attorney general, Letitia James, sent a letter to Zoom asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers. While her letter referred to Zoom as “an essential and valuable communications platform,” it outlined several concerns, noting that the company had been slow to address security flaws such as vulnerabilities “that could enable malicious third parties to, among other things, gain surreptitious access to consumer webcams,” according to The New York Times. Furthermore, the New York attorney general’s office is “concerned that Zoom’s existing security practices might not be sufficient to adapt to the recent and sudden surge in both the volume and sensitivity of data being passed through its network. While Zoom has remediated specific reported security vulnerabilities, we would like to understand whether Zoom has undertaken a broader review of its security practices.”
And recently, Senator Ron Wyden (D-Ore.) openly questioned the safety of federal agencies using Zoom. “It is extremely concerning that after Zoom was cleared for government use by the General Services Administration (GSA) in April 2019, security researchers discovered multiple serious vulnerabilities in the year that followed,” Wyden wrote in a letter to acting GSA Administrator Katy Kale.
Many video conferencing users and their organizations, both in the public and private sector, are generally unaware of the privacy and security risks that are present. With video conferencing tools letting people seamlessly meet with doctors, colleagues, friends, and family members with the click of a button, they are also often the least secure portal for cybercriminals to access private information.
Below are a just few examples of what can happen when an unauthorized user gains access to your video meeting:
Meeting bombing: This is when an uninvited guest joins a video conference call to disturb the meeting.
Malicious links in chats: Hackers can gain access to the meeting room and share malicious links in the chat that once clicked will allow them to steal participants’ credentials and other important information.
Data breach: Hackers are usually interested in stealing participants’ data. The user’s webcam provides a window, and malicious software can infiltrate the computer and let a hacker spy on you through that camera. It is even possible for hackers to gain access to users connecting remotely to a conference call with unsecured Wi-Fi in a public place like a coffee shop or airport.
What government agencies can do to stay protected
Hackers are making millions stealing and selling data and there is a necessity for users to have multi-tiered privacy protection that safeguards them against the security dangers that exist in today’s virtual world.
Enterprises need to know that their video conferencing services are built with strong encryption, multi-factor authentication, and layered privacy controls. This will give them the confidence that their meetings are being conducted safely.
To succeed in the future, organizations should implement strong multi-factor security strategies, including the latest types of biometric authentication solutions to ensure users are who they say they are. As biometric technologies continue to evolve, consumers will become much more accustomed to utilizing their phone’s fingerprint & facial recognition capabilities for security.
The global pandemic resulting in stay-at-home orders has led to significant changes in the way people work in all sectors, both public and private. The hard truth is that not a single video conferencing platform out there was built with security as a leading priority. Most of these platforms don’t have an inherent understanding of the security elements that could affect a user’s system, so they don’t even know what to look for when preventing cyber-attacks.
As governments and businesses, both large and small, continue to communicate through video conferencing post-pandemic, we will continue to see a rise in cybercriminals using unique techniques like phishing attacks to infiltrate systems through their video conferencing platforms. As high-profile breaches and attacks increase, it will be essential to take a closer look at the virtual communications tools being used to ensure total organizational safety and security. To prevent this, it goes beyond training and vigilance. Organizations should plan ahead by requiring multi-factor Out-of-Band authentication (MFA) wherever possible to create more certainty that the person using the username and password is who they claim to be.
George Waller, CEO, StrikeForce Technologies