This July, the Zoom bug quickly got us all thinking about videoconferencing security again. Although the bug was quickly squashed, the idea that someone could send you a link that would arbitrarily add you to a conference call – thus allowing attackers to spy on you through your webcam – was unsettling beyond belief. Although Apple patched the Zoom bug out of existence before anyone could take advantage of it, the implications are worth considering.
ICYMI: What Was the Zoom Bug?
Zoom is one of the world’s most popular videoconferencing apps, with a large install base. A few months ago, a security researcher named Jonathan Leitschuh discovered a flaw in the Mac version of the company’s software that would allow attackers to take over a user’s camera after sending them a malicious link.
4 Million People...
In addition, Zoom delivers a package that installs an insecure web server on Macs, potentially allowing attackers to deliver DDOS attacks. When Mac users uninstall Zoom, the server stays behind – leaving users vulnerable long after they (justifiably) ditch the company. Leitschuh estimated that around 4 million people were vulnerable to attack.
90 Days To Respond...
While these vulnerabilities were both bad and dangerous, they might not have made headlines except for the fact that Zoom was incredibly lazy about responding to them. As is tradition, Leitschuh gave Zoom 90 days to respond to the vulnerability after first disclosing it privately. Zoom did almost nothing in return, aside from releasing an ineffective patch. After the 90-day deadline ran out, Leitschuh went public, even going so far as to release a proof-of-concept exploit. The resulting public furor was intense. Zoom released a much more comprehensive patch almost immediately, and Apple even stepped in and released a separate patch to mitigate the issue."
"The resulting public furor was intense. Zoom released a much more comprehensive patch almost immediately.."
The Zoom Bug is a Wake-Up Call
Even if you patched the Zoom bug as soon as you were made aware of it, the fact remains that your videoconferencing system – whether it’s a full room devoted to videoconferences or just the webcam built into your laptop – might not be completely secure.
Access The Feeds From Your Camera And Microphone...
Primarily, there’s more than one exploit that would let attackers access the feeds from your camera and microphone. In 2018, a researcher from Google’s Project Zero found long-buried vulnerabilities in videoconferencing protocols such as WebRTC, PJSIP, and Apple’s FaceTime library. These would allow attackers to place a video call that would trigger a buffer overflow within apps such as WhatsApp or Facebook Messenger, allowing them to take over the recipient’s account.
Only A Matter Of Time...
The vulnerabilities in WebRTC et al were arguably a bigger deal than the Zoom bug itself. You can uninstall Zoom, but almost every popular videoconferencing app uses one of the three protocols above. Fortunately, this vulnerability was also patched before it was exploited in the wild, but the regular cadence of vulnerabilities shows us that it’s only a matter of time before a massive videoconferencing breach rears its ugly head.
"the regular cadence of vulnerabilities shows us that it’s only a matter of time before a massive videoconferencing breach rears its ugly head."
What Should You Do to Prevent Eavesdropping?
First, seek to limit the impact of a potential disaster. Then implement controls. If someone hacks your videoconferencing implementation, they can hear what you hear and see what you see. You can’t do much about what they can hear, but you can take visuals out of the equation. If your desk, board room, or conference room happens to contain something like a post-it note with all of your passwords, or a binder with your plans for world domination, now is your chance to tidy those things away. Better yet, Microsoft Teams gives you a feature that can blur your background automatically.
"Better yet, Microsoft Teams gives you a feature that can blur your background automatically."
Avoid And Mitigate Eavesdroppers Themselves...
Lastly, you should set clear policies regarding the kind of material that you can bring into a videoconference room in order to avoid accidental breaches. Once you’ve cleared away the low-hanging fruit, your next step is to avoid and mitigate eavesdroppers themselves. This starts with encryption. Most popular videoconferencing applications are encrypted by default, but if you’re running a custom setup for your boardroom or conference room, you may need to double-check. For example, you need to place a dedicated encryption solution between your multiplexor and your videoconferencing equipment, or your solution will be considered insecure.
"set clear policies regarding the kind of material that you can bring into a videoconference room in order to avoid accidental breaches"
Strong Passwords, A Firewall, A PIN System...
Attackers can also hack your endpoint and applications directly, take advantage of misconfigured APIs, or breach public-facing video servers for a man-in-the-middle attack. All of these have the potential to allow an attacker to eavesdrop on your video calls. Your videoconferencing implementation needs strong passwords, a firewall, a PIN system, and most of the other security protections that you’d place in front of your endpoints.
"Attackers can also hack your endpoint and applications directly, take advantage of misconfigured APIs, or breach public-facing video servers for a man-in-the-middle attack."
KiZAN Helps Keep Videoconferencing Safe
If you’re already stretched thin by providing security for other aspects of your business, securing your videoconferencing implementation might be the last straw. We can help. Our security solutions can provide monitoring, security updates, data security, and strong authentication solutions for your video calls – everything you need to keep safe from eavesdropping and other attacks.
Are you compliant?
A secure long-term strategy for your infrastructure and applications starts with a solid foundation.