Rawpixel - Fotolia
Video conferencing security and why it's so hard to attain
As the number of remote workers soars, video conferencing security has become a critical issue. What do you need to know about securing your conferencing platform?
This is the year video conferencing took center stage. After two decades of slow progress and adoption, the industry grew tenfold -- in just three months. The pandemic has shined a spotlight on the technology's advantages at a time where remote work has become the norm.
But all this attention also revealed some of the technology's vulnerabilities -- in particular, those related to video conferencing security. Up to now, security features played second fiddle to video conferencing's versatility and ease of use. That's no longer the case. Zoom's well-documented security shortfalls -- from flawed OS hacking and poor encryption practices to Zoombombing -- vividly illustrate the challenges video conferencing vendors face in ensuring their products are secure.
The problem is that security and privacy get intertwined, while remaining competing requirements. Within an enterprise meetings platform, organizations need first to decide who to secure and whose privacy they want maintained.
For example, complete privacy with end-to-end encryption of sessions is not possible in an industry where regulations require all conversations must be recorded. But encryption would be desirable to keep managed service vendors from eavesdropping on conversations conducted during a hosted video conferencing session.
Let's examine some of the main security issues vendors and buyers face when developing or seeking a secure video conferencing platform.
Reliance on secure standards. Video conferencing security is challenging because every platform has two huge vulnerability risks. The first is a backdoor, somewhere in the algorithm, which could be exploited. The second is in the implementation itself. Developers might have missed a security check or made a bad implementation decision that has left a vulnerability ripe for hackers to use.
Consider the advanced encryption standard, which is a way to encrypt text and to parry brute-force attacks. Or Secure Hash Algorithm 1, which is a method to verify that a particular file hasn't been altered. These, along with other security algorithms used by video conferencing vendors, are open standards that are tinkered with continuously, revealing strengths and weaknesses as time goes by.
It should be a simple enough task to pick reasonable security algorithms. But the real threat is at a higher level: in how these algorithms are used to create a whole workflow for a given process. Video conferencing is a rather challenging workflow as it includes user authentication and authorization, signaling, media encryption and server management.
For many video conferencing vendors, usability trumped security. As such, it is crucial to select a platform that relies on open and secure standards and uses algorithms -- both high- and low-level -- that are deemed safe. This is accomplished through rigorous work in standardization bodies, where security experts from different vendors and countries take part in the process.
H.323 and Session Initiation Protocol are great examples where security was standardized. WebRTC, which mandates encrypted communications, offers an open source implementation and browser integration, removing some of the burdens associated with vendor-based security.
Encryption in transit and at rest. The basic requirement today for any communication service is to offer encryption in transit, as well as encryption at rest. Encryption in transit means that data sent over the network needs to be scrambled. For WebRTC, it means signaling, voice and video have to be encrypted between devices and servers.
Encryption at rest deals with all information that is being kept in storage, ranging from account information and text messages to call recordings. With video conferencing security, this is most relevant when sessions are being recorded. Regardless of the video conferencing service you use, today, it must support encryption in transit and at rest.
Solid security updates policy. Vendors should have a solid policy governing security updates. There isn't a single commercial product today that doesn't use some third-party open source component -- whether it is Linux, OpenSSL or another library.
All these third-party components have their own development and release cycles, and often, the updates they publish include security patches. Some of these patches can be highly important to the security of the application using them.
That's why vendors need internal policies that cover how third-party security fixes are issued and -- if relevant -- integrated into the core product. This may seem trivial, but it's a critical step. The better a vendor handles fix and patch management, the more secure its application will be.
Predictable behavior. Hackers rely on patterns, especially with software development. A good example is the practice of issuing default passwords for peripherals -- be they routers or printers. Often, these passwords are never changed and can be used by hackers to access the devices remotely.
The easiest way to determine a repeatable item is to place the software in an array and then have it indexed based on its sequential number. In video conferencing systems, this methodology can be applied to how recorded session files are stored or how conference room numbers are created.
Even having access to just a few items, such as recording URLs or room numbers, enables hackers to deduce related resources by making an educated guess. If these resources are left unsecured or accessed through brute-force tactics, security can be easily compromised.
One way to prevent this behavior is to stop indexing predictable resources and assets. Instead, hash them in a way that makes guessing more difficult.
Brute-force protection. User IDs and PIN codes are necessary, but they are also the conduits through which hackers can gain access to the video conferencing system.
Besides increasing PIN code lengths and asking users to create better passwords, video conferencing vendors can also invest in ways to prevent brute-force attempts. This can be done by restricting access to only a certain number of attempts per second or minute or by even blocking access entirely if multiple retries are detected.
The human factor. Security and privacy always come at the expense of ease of use. To make video conferencing security work, users need to authenticate themselves. They need to identify who they are and prove that identity. Guests joining a video session must be admitted manually. Yet, these requirements conflict with the ease-of-use models most video conferencing vendors promote when marketing their services. As a result, most vendors' default settings tend to lean toward simplicity and away from security and privacy.
While these settings can sometimes be configured by users, doing so can be both tedious and confusing. When security isn't built from the ground up, security-related settings tend to be added in a patchwork way, thus making them difficult to centrally manage or configure.
Compromising security for usability. Last year, Zoom was caught with its hand in the Apple cookie jar. When Zoom was installed on Mac devices, a local web server was also added on. The server remained even if users removed Zoom. Why? To make it easier and smoother for users if they needed to reinstall the software for future use.
This practice, understandably, is considered a security and privacy risk. It intentionally compromised the security of the user to improve the usability of the application. Similar techniques were used in the past to get screen-sharing access on mobile OSes. This kind of behavior defeats the whole intent of maintaining security and privacy. And it could have been avoided by adopting open standards -- in this case, WebRTC.
Vendors cannot minimize security in the name of usability. All the security components of an underlying OS or browser need to be adopted and supported to adequately protect the user.
The fine line between usability and security. Security and usability don't go hand in hand. Adding more security usually comes at the expense of usability and vice versa. But, as video conferencing becomes more popular, vendors must find ways to improve their security, while compromising as little as possible on usability. It's important for them to find the right balance and to develop services that are versatile, as well as secure.