The world has suddenly come to rely on videoconferencing tools. Zoom saw a jump from 10 million users to 300 million users between December and April of this year. Microsoft Teams usage increased 70 percent to 75 million daily users. Businesses, governments, schools, and individuals quickly embraced video conferencing as a way to work, learn, and connect during these days of social distancing.
As usage skyrockets, security risks abound, such as:
- Meeting hijacking – Attackers take over a videoconference meeting to disrupt it, often using offensive language or images.
- Monitoring – Attackers that silently lurk are an even greater concern for organizations that hold confidential discussions online.
- Social Engineering – Cybercriminals leverage videoconferencing tools in social engineering attacks, distributing fake executable files and more.
- Vulnerabilities – More sophisticated cybercriminals can also attempt to monitor communications or conduct privilege escalation attacks using vulnerabilities in collaboration software (although these issues are relatively rare).
- Denial-of-Service – Now that so many of us have come to depend on videoconferencing tools, outages and denial-of-service attacks have become a real risk.
We will discuss each of these issues in the following sections.
Hijacking and Monitoring
“Zoombombing” (when malicious actors disrupt Zoom meetings) burst into common usage this spring, after schools, businesses and associations experienced attacks. “Zoombombing” was possible because many users did not require passwords on meetings, often due to convenience or because the meeting is intended to include the public. Meeting IDs are often shared with large lists or even the public, increasing the risk that a bad actor could join the meeting and disrupt it.
Even the Prime Minister of the U.K., Boris Johnson, accidentally shared the U.K. Cabinet’s meeting ID on Twitter after announcing the U.K.’s first-ever “digital Cabinet” meeting. This triggered widespread concerns that a malicious actor could attempt to break into future closed-door meetings.
Cybercriminals can also use traditional “war dialing” tactics to find open Zoom meetings. In early April, researchers from the security group, SecKC, released zWarDial, a tool that automatically enumerates Zoom meeting IDs, and lists open meetings. This only works for meetings that do not use a passcode. Since Zoom meeting IDs are 10-11 characters, it is possible to programmatically iterate through the possibilities.
Concerns about disrupted or monitored meetings are not limited to Zoom; any videoconference meeting that can be shared can be similarly abused. For example, GoToMeeting users have a “Personal Meeting Room” which utilizes the user’s username—far easier to target than a pseudorandom series of digits. The random room numbers are 9 digits long, which is actually a smaller search space than Zoom’s current 10-11 character IDs.
Credential stuffing and password theft are problems that apply to videoconferencing. In April, 500,000 Zoom credentials were discovered for sale on the dark web. These included accounts linked to major financial institutions, schools and more.
In addition to meeting hijacking, criminals can use these same tactics to monitor meetings or infect more victims. Malicious actors can also get into the chat feature of the video conference platform, enabling them to share links designed to steal credentials or install malware on a user’s device.
What better way to get a user to download malware onto their computer than to trick them into thinking it’s a legitimate new program they want to install? Cybercriminals quickly recognized that millions of new users were installing videoconferencing tools, and they created thousands of fake domains referencing “Zoom” and similar keywords to lure unsuspecting users. Criminals even took legitimate videoconferencing programs, infected them with malware, and placed them on fake websites for users to download.
Security problems are ubiquitous in all software, and the more people that use a product, the more likely it is that bugs will be found. As videoconferencing ramps up in popularity, so too have the known flaws. For example, in March, Cisco announced high-severity flaws in the WebEx videoconferencing platform which could facilitate arbitrary code execution. Zoom was famously the subject of a security research project, which uncovered misrepresentations in its encryption scheme, and in March, a security researcher disclosed a Zoom vulnerability that could allow attackers to use the chat feature to steal passwords from users. The vulnerabilities and misrepresentation were rapidly corrected. While these do introduce risks, in general, videoconferencing providers have responded very quickly and taken appropriate action to address disclosed vulnerabilities.
Denial of Service Attacks
Videoconferencing has become a critical part of daily operations for many organizations—to the point where disruptions of service can impact business continuity. As usage spikes, service quality can suffer. For example, in response to a 775% increase in the usage of Microsoft cloud services, the company “did admit to degradation in the deployment of some compute resource types across some regions.” Cybercriminals are taking note: Kaspersky reported that distributed denial-of-service (DDoS) attacks are up 180% in Q1 2020 compared with this time last year. While there are no public reports on the frequency of DDoS attacks targeting videoconferencing providers, organizations should have a plan for service degradation and outages.
Here are some steps that you can take to secure your videoconferencing platform:
- Require a password/PIN for meetings
- Use a strong password (minimum of 14 characters) that is not the same as other accounts
- Utilize two-factor authentication (2FA) whenever possible
- Use a unique meeting link/ID for different groups
- Turn off “Embed passwords in meeting link for one-click join”
- Don’t post meeting links to public places
- Utilize the “waiting room” feature to ensure only authorized users join the call
- Restrict remote control to host only
- Make sure hosts are familiar with “mute,” “hold” and similar controls
- Ensure that the default settings for your organization are appropriate
Videoconferencing and video communications are a great tool for staying connected with colleagues, customers, and your community. Since these tools are increasingly important, they are increasingly targeted by cybercriminals. The good news is that the most common security issues can easily be avoided with secure default configurations and user training. By familiarizing your team with existing security features, and staying up-to-date on the latest developments, you can keep your videoconferencing platform safe from cybercriminals.
Contact us if your organization would like a Remote Work Risk Assessment. We offer a detailed risk report that includes action items to make your team safer, as well as cybersecurity clean-up services.