Want to know more? — Subscribe
With remote working practices becoming a new normal, video conferencing apps have become a crucial component of a secure business communication platform, messaging, and voice tools. Swiftly scaling solutions to support a remote workforce have highlighted the threats of video conferencing security that many companies use for communication.
While easy to use, these tools were lacking in enterprise-grade security protocols, exposing businesses to significant protection and privacy risks. A respondent to an (ISC)2 survey stated that COVID-19 hit organizations with all the necessary ingredients to fuel cybercrime.
The sudden surge of remote working led to the situation where IP-based AV conversations are challenged with sophisticated attacks every day to access valuable information or break the system to make it impossible to use.
From this article, you will learn about video conferencing security and know how to improve existing apps to protect your data.
What is video conferencing
Video and audio input from a device's camera and microphone are converted from an analog to a digital signal and transmitted over the internet. Compression software, known as codec, for compression/decompression shrinks the data to make it smaller and faster to transfer. When the data arrives at the other end, codec software decompresses it and converts it back to analog signals played on speakers or a screen.
Read also: Video Conferencing Technology Trends
Most video conferencing programs use software for noise suppression and sound control. The process requires high speed and capacity, internet connections, and networks. Users can either install an app or connect through the browser.
A few big market players, such as Microsoft, Zoom, Webex, and Google, offer free-of-charge software for video conferencing. And a lot of minor and custom platforms and apps can be tailored specifically for the needs of organizations and businesses.
All the platforms and apps represented on the market can be integrated with a broad choice of other tools and apps. These features make it easy to use with only one issue that has been very consistent through both pre and post-COVID-19. That is that the entire notion of video conferencing security has been under-appreciated by organizations. As such, users are putting everything out there, giving a successful attacker limitless access to potentially sensitive data.
Video conferencing security issues
As quarantine and remote work have been enrolling, more people are becoming regular at video conferencing tools. For many of these new users, traditional messaging efforts around security training have been few or non-existent. Even companies with previously strict security practices rushed to implement new platforms to allow productivity, leading to hackers and cyber-criminals paradise.
Data transmission is the most unprotected area of conferencing security during a video conference as it must travel over many public and private networks to reach its destination. If a hacker attacks a non-encrypted conference call, the stream can turn into a personal surveillance camera, recording and re-sharing corporate secrets and top-secret intelligence.
Also, video conferences may be archived for later use. Since both the media and the metadata (i.e., attendee lists, polls, shared content, etc.) information from these calls could be sensitive, data leakage can hold a significant threat for videoconferencing cybersecurity.
Examples of vulnerabilities in the voice and video conferencing platforms
- Being the most downloaded tool, Zoom has almost become an antonym for secure video conferencing during video meetings. One of Zoom users' issues during the early days of quarantine remote working practices used to be so-called Zoombombing. Pranksters joined Zoom calls and broadcast porn or shock videos. Zoom's default settings were to blame as they didn't encourage a password to be set for meetings and allowed participants to share their screen. Zoombombing was the first of many recent security and privacy concerns, though. Zoom also had to implement secure video conferencing design to its iOS app to remove code that sent device data to Facebook.
- In March 2019, Cisco Webex Teams eliminated two high-severity vulnerabilities in video conferencing tools. When used, these allowed an attacker to execute code on affected systems, compromising video conferencing security policy. And earlier in the year, they fixed a defect that permitted unauthenticated users to join password-protected meetings.
- A critical vulnerability was found in Slack, which led to automated account takeovers (ATOs) and data breaches. It brought massive enterprise chat security risks. Additionally, as Slack is the overwhelming leader in AppStore "integrations," it also exposes them. There have been cases where an attacker has created a Slack add-on that advertises some excellent features and reads channel data once end-users install the app.
- The remodeled Google Meet solution features a 25-character string for meeting IDs. It also restricts external participants from joining a meeting 15 minutes before it starts. Unfortunately, it does not yet offer fully encrypted video conferencing.
- For the time being, Microsoft Teams seems to be winning the communications war regarding video conferencing security. Their reputation may be due to better protection and enterprise security experiences or just a PR effort. They proclaim many of the security settings & features that other platforms are now deploying or considering. Yet, it was revealed that in the early spring of 2020, Teams had a security flaw that allowed a 'malicious GIF' to steal user data across an entire company. Some customers are also still waiting for Teams to implement advanced video conferencing security best practices previously assessed in Skype for Business.
- Twilio, a US communication giant, confirmed the privacy issues with video conferencing solution. Twilio, which allows users to create video, voice and messaging capabilities, including two-factor authentication, stated that someone gained “unauthorized access” to information related to Twilio customer accounts. Later on, Twilio, whose biggest clients include Uber and Meta, confirmed that their two-factor authentication app Authy has also been compromised. Which just proves the point that you can’t be too careful weighing video conferencing security risks.
- Data breach has not spared even such giants as Samsung. In September of 2022, Samsung released a brief notice stating that it discovered the security incident when “unauthorized third party acquired information from some of Samsung’s U.S. systems.” The company said it determined customer data was compromised, however, Social Security numbers and credit card numbers were not affected, but some customer information — name, contact and demographic information, date of birth, and product registration information — was taken.
- Signal, a popular voice and messaging application, has confirmed the data of their users had leaked. It happened after Twilio, the company that provides Signal with phone number verification services, suffered a phishing attack. After the accident, affected Signal users received messages urging them to re-register in the app again. However, according to Signal, the attacker no longer has access to the sensitive data, and the attack has been shut down by Twilio.
Tips on increasing video conferencing cyber security
It's not a question that security is a significant part of video conferencing, but what exactly are the critical elements and how to avoid video conferencing security mistakes? Here's a list of main tips for securing video conferencing:
Require a Password to Join
Requesting a password for a meeting from attendees will prevent uninvited visitors from joining. It's good practice to include a multi-factor authentication feature to ensure additional security and verify that only authorized members participate in a meeting.
Conduct regular software updates
Security patches guarantee that the software you're using has the most recent updates. Make sure you're downloading an official release of the software to prevent installing dangerous malware instead.
Keep track of who joins the meeting. You need to be able to identify all guests. It's useful when a video conferencing software has a notification system when a new person joins a meeting.
Establish waiting rooms
Instead of letting participants join a meeting directly, make the host of the conference control access. When the waiting room feature is implemented, the host receives a notification that someone wants to join the meeting. The responsible person can then determine whether it is acceptable for the guest to participate.
Encrypt Meeting Recordings
End-to-end encryption is critical when discussing sensitive corporate information. Password-protected encryption will make your data inaccessible when received by third parties. On the other hand, when data transmission is not encrypted, a hacker can obtain and read data easily.
Build a corporate video conferencing culture
Regardless of the choice of video conferencing providers and security measures built into them, if your employees don't have established best-practice behaviors, tools alone won't keep cyber threats for video conferencing software off the shore.
Be on the lookout for unknown phone numbers
If any attendee dials from the unknown number, ask to confirm the identity. If the intruder refuses to do so, remove them from the call. Check whether your conferencing application requires passwords when dialing in. Avoid publicly sharing full meeting links. When receiving a meeting invitation, verify that it's from a known, trusted sender. Once everyone has joined, lock the meeting to keep out unknown attendees.
Establish notifications when meetings are forwarded
Set alerts so you know when meeting invites are forwarded over email to others. Check any secondary invitees are legitimate. If necessary, schedule another meeting with new details.
Limit file sharing in the chat
Restrict file sharing in the message column of a video conference so that any unknown attendees cannot receive and open private documents or send malware disguised as an attachment to others of the call.
Choose a business or enterprise plan
Your employees need efficient communication tools. Consider paying for an enterprise license that gives greater control over employee use and ensures access to additional features that meet your privacy needs.
Custom-made solutions provide complete cyber security
All the measures mentioned above can minimize cyber security threats while videoconferencing. But they don't reduce the problem to zero. What can be done to eradicate cyberattacks is developing a custom-made videoconferencing tool with tailor-made security protocols to protect every communication and shared data.
Security Software Development Life Cycle
The first thing that can be done is integrating security into the entire software development life cycle (SDLC). It enables, rather than inhibits, the delivery of high-quality, highly secure products to the market. A software development life cycle (SDLC) is a framework for building an application from inception to decommissioning.
Previously, companies performed security-related activities at the testing stage, which is the end of the SDLC. But it's much better to integrate security testing across the SDLC to help discover and reduce vulnerabilities early, effectively building security. Security assurance activities include architecture analysis during design, code review during coding and build, and penetration testing before release.
DDoS attack protection service
Another way of securing software and data from cyber threats is to implement a DDoS attack protection service. A Denial of Service (DoS) attack is a malicious attempt to affect the availability of a targeted system, such as a website or application, to legitimate end-users. Typically, attackers generate large volumes of packets or requests, ultimately overwhelming the target system. In a Distributed Denial of Service (DDoS) attack, the attacker uses multiple compromised or controlled sources.
One of the techniques to mitigate DDoS attacks is to minimize the surface area, thereby limiting the options for attackers and allowing to build protections in a single place. It can be done by placing computation resources behind Content Distribution Networks (CDNs) or Load Balancers and restricting direct Internet traffic to certain parts of infrastructure like database servers. Also, firewalls or Access Control Lists (ACLs) can be used to control what traffic reaches the application.
RTP (Real-time Transport Protocol) is the dominant protocol for transmitting voice and video over IP networks. It is an application-level protocol with the core defined in the RFC3550 document. RTP is almost 20 years old, and throughout its lifetime, there were various attempts to make it SRTP where the "S" is for "security." Some of them are ZRTP, SDES, MIKEY, DTLS-SRTP. The main difference between them is how they exchange keys to secure conversation. Let's focus on DTLS-SRTP (Datagram Transport Layer Security for Secure Real-time Transport Protocol) as it's the basis of WebRTC for voice and video transmission. WebRTC mandates that all communications must be secured using DTLS-SRTP with specific requirements.
DTLS-SRTP has proven its ability to provide strong encryption for media payload that is carried using RTP protocol when all other security criteria are met. SRTP doesn't encrypt packets entirely, just the actual media payload portion. RTP headers remain unencrypted and can be viewed if captured. However, they don't contain any sensitive information. Yet, the media that is carried over DTLS-SRTP is secure, but the following criteria have to be met:
- Rely on DTLS 1.2. Lower variances should be avoided;
Choose only ECDHE + AEAD cipher suites that support
PFS. That is:
- Make signaling rock solid secure;
- Make the server validate keys fingerprints that are sent separately over signaling before DTLS key exchange;
- Avoid any key exchange over signaling;
- When using intermediate servers, ensure that their private keys are secure and generated at least each restart.
In the context of videoconferencing, it's necessary to discuss e2e encryption. WebRTC media server is known for being one of the few highly secure, having end-to-end encryption capabilities by default, with three main topologies that are used in videoconferencing:
Every participant establishes a connection with all other participants. The pros of this topology are that it is truly e2e secured, and there are no intermediate servers that can intercept traffic. The cons are that it is not scalable because each participant should separately encode and send audio/video streams to each conference peer, utilizing a lot of CPU and bandwidth. It does not offer a solid recording mechanism, different integrations, or optimizations.
Every participant connects to a central server and sends audio and video streams. The server receives streams from all participants, mixes them into a composite, and every participant receives one audio and one video composite stream. The pros are that it dramatically reduces client-side bandwidth and complexity. However, the cons are that the server utilizes a huge amount of CPU, as it needs to decode and encode frames for each participant.
SFU (Selective Forwarding Unit)
It is a tradeoff between MCU and Mesh. Everyone in a conference negotiates a connection to the central server and sends audio and video streams there. When the server receives a packet from a participant, it creates and sends copies to all other participants. It doesn't decode the payload but simply forwards the packets between participants. It's the most commonly used topology in modern video conferencing (Google Hangouts, Zoom, MS Teams). Sometimes it is combined with an additional MCU server to create a composite stream for recording or streaming purposes.
Read also: How to Choose the Best WebRTC Media Server
WebRTC does mandate everything about media security in a very detailed and strict manner. But as it is signaling agnostic, it doesn't have any RFC standard, nor does it implement any API to handle this. The most appropriate solution would be using secure WebSockets connections on a transport layer from a browser standpoint. It is also possible to organize WebRTC signaling over simple HTTPS requests (from an encryption standpoint, they are the same).
Choosing HTTP, you have to handle all the security considerations. If you connect your servers to some third-party systems like SIP trunk, you should prefer vendors with support SIP over TLS and SRTP support in any of its forms to achieve PSTN connectivity. Also, consider picking reliable battle-tested solutions. For example, in the case of SIP, you would want protection from the outside world with a Session Border Controller capable of SIP traffic sanitizing, topology hiding, traffic throttling, spam detection, etc. The great candidates for building such a gateway may be Kamailio or OpenSIPs.
The market offers all-purpose tools that pose cyber threats for video conferencing software. To avoid security breaches, companies can develop their application using our step-by-step guide.
If you're not into developing and looking to have a ready-to-use secured video communication solution, we're here to help. Video conferencing is our specialty — we have developed tailor-made and out-of-the-box video conferencing software for social networks, property management, telemedicine, and online events applications.
One of the significant examples of our work is HIPAA Telemed — a video conferencing app for accessible healthcare and medical advice. It is used both by doctors and patients for remote health consultations. This technology has been booming since the beginning of the pandemic.
This app has been built using WebRTC technology. It has been customized for the client's needs as we've implemented video and audio calls, messaging, and appointment management. The application uses HIPAA, a US medical security protocol.
Another expertise lies within our collaboration with Parta, a social networking application with video calls as the main feature. This app has been created explicitly for building communities.
All of these custom, tailor-made solutions have been using video conferencing security best practices. Our team of skilled software development engineers and architects pays special attention to eliminating all possible cyber threats for video conferencing software when developing new tools and applications.
Read Also: Cybersecurity checklist for hospitals
Things get better with cybersecurity
Videoconferencing security is not only in a company's best interest — it is the law. Government regulations like the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley Act of 2002, and GDPR rules demand that medical providers, financial institutions, and other corporations secure all digital data associated with their customers and patients. That includes all electronic transmissions of personal client data, even video conferences.
However, a recently conducted research study by the data security company Rapid7 has shown an enormous need for improved vulnerability management practices. Every company needs to communicate safely in a virtual environment, from small to mid-sized businesses to larger corporations and enterprises. The best possible way to get rid of video conferencing security issues is to turn to custom-made software development. And Softermii must be just the right company to help. Drop us a line!
Frequently Asked Questions
Does Softermii offer a secure video conferencing solution development?
Yes, we do! One of our top priorities when developing a video conferencing solution is to implement video conferencing security best practices so that our clients can be sure that their and third party data won’t be compromised or leaked. We use multiple technologies to make our solutions video conferencing security risks-free.
Do you provide a secure video conferencing design of your solution?
We offer all kinds of design and development services tailored to our clients’ needs. Thus, becoming our client, one can be sure to get the best secure video conferencing solution development there is on the market.
Is it important to implement encrypted video calling for businesses?
If you want to avoid video conferencing security risks and utilize video conferencing security best practices, it is of utmost importance to implement encrypted video calling for business. It’ll mean you’ll most certainly prevent data leaks and breaches of your sensitive data and protect your clients as well as workers from their data being compromised.
How about to rate this article?
356 ratings • Avg 4.4 / 5