The problems with videoconferencing apps

How secure are the most popular videoconferencing apps?

#stayhome is not just a popular tag around social networks these days, but also a harsh reality for businesses forced by the coronavirus pandemic to send most of their staff home to work remotely. Face-to-face meetings have been replaced by video calls. But corporate conferences are there to discuss more than just the weather, so before you commit to a videoconferencing app, take a look at its data protection mechanisms.  To be clear, we have not conducted lab-based testing on these apps; we browsed publicly available sources for information about known problems in the most widely used software.

Google Meet and Google Duo

Google offers two video call services: Meet and Duo. The first is an app that integrates with Google’s other services (the G Suite). If your company uses those, Hangouts Meet will fit in nicely.

Security — Google Meet

Among Meet’s advantages, the vendor cites reliable data-processing infrastructure, encryption (not end-to-end, though) and a set of protection tools, all active by default. Like most other business products, G Suite, including Google Meet, conforms to advanced security standards and offers configuration and access-rights-management options among its features.

Security — Google Duo

The mobile app Duo, on the other hand, protects data using end-to-end encryption. However, it is an application designed for private users, not for businesses. Its conferences can accommodate only up to 12 participants.

Vulnerabilities and downsides

Other than some messages reminding us all that Google collects user data and therefore can be a threat to trade secrets we were unable to find concrete information about these apps’ security performance. That does not mean that Google services are flawless, but they are backed by a very strong security team that tends to fix problems before they cause any trouble.

Slack

In Slack, you can create multiple chat workspaces for teams, conveniently shown in one window, plus channels inside your workspace dedicated to different projects. Conferencing is limited to 15 participants.

Security

Slack complies with a bunch of international security standards, including SOC 2. The service can be configured to work with medical and financial data and allows companies to select a region for data storage. And joining a Slack workspace requires either an invitation or an e-mail address using the corporate domain.

Slack also offers its customers flexible risk management instruments, integration with Data Loss Prevention (DLP) solutions, and data-access-control tools. For example, administrators can restrict the use of Slack from personal devices and the copying of information from its channels.

Vulnerabilities and downsides

According to Slack’s developers, only a limited number of businesses really need end-to-end encryption, and implementation of the feature can limit functionality. Therefore, Slack apparently has no plans to add end-to-end encryption.

Slack also lets you integrate third-party apps, whose security is not Slack’s responsibility.

Also, researchers have found vulnerabilities — serious ones — in Slack. Slack has patched the following: a bug that allowed attackers to steal data and one enabling interception of a user’s session.

Teams

Microsoft Teams integrates with Office 365, which is its main advantage for a corporate user. In response to the increased demand for work from home tools, Microsoft is now offering a free six-month Microsoft Teams trial, but free users will not be able to configure user settings and policies — a potential security compromise.

Security

Teams complies with a number of international standards, can be set up to work with confidential medical data, and boasts flexible security management options. Under some service plans, additional tools, such as DLP or outgoing file scanning, can be integrated into Teams. Our solution for protecting MS Office 365 scans the data exchanged through Teams to prevent malware from spreading through the corporate network.

Data sent to the server, whether chats or video calls, is encrypted, but again we are not talking about end-to-end encryption. Speaking of storage and processing, the information never leaves the region in which your company operates.

Vulnerabilities

It is a good idea to monitor vulnerabilities in Teams. Microsoft typically patches vulnerabilities quickly, but they do arise from time to time. For example, researchers recently found a vulnerability (since patched) that enabled account takeover.

Skype for Business

The cloud version of Skype for Business — the predecessor of Teams in Office 365 — is gradually becoming a thing of the past, but you can still install it locally. Some users find it more convenient than Teams, and Microsoft will continue to support the local version of Skype for the next couple of years.

Security

Skype for Business encrypts information, but not end-to-end, and the service’s protection is configurable. It also uses local server software, so video calls and other data never leave the corporate network — an obvious advantage.

Vulnerabilities and downsides

The product won’t be supported forever. Unless Microsoft changes its plans, support for the application will end in July 2021, and Skype for Business Server 2019 will be on extended support until October 14, 2025.

WebEx Meetings and WebEx Teams

Cisco WebEx Meetings is quite a narrow-focus service for videoconferencing.  Cisco WebEx Teams is a full-featured coworking service that, among other things, supports video calls. As far as the scope of this post, the difference is in encryption approach.

Security

Cisco WebEx Meetings includes business-class services and end-to-end encryption. (The option is off by default, but the provider will activate it on request. Doing so somewhat limits the utility’s functionality, but if your employees deal with confidential information in meetings, it is certainly a good option to consider.) Cisco WebEx Teams provides end-to-end encryption only for correspondence and documents;, whereas video and audio calls are decrypted at Cisco’s servers.

Vulnerabilities and downsides

Only this March, the vendor patched two WebEx Meetings vulnerabilities threatening remote execution of code. And early last year, a serious bug was found in WebEx Teams client. It allowed the execution of commands with the current user’s privileges. Cisco is known to be serious about security, though, and updates its services quickly.

WhatsApp

WhatsApp was built for social communication, not business, but the free app can cover the videoconferencing needs of small companies or teams. The program is not suitable for large business; videoconferencing is available only for up to four participants at a time.

Security

WhatsApp has the indisputable advantage of true end-to-end encryption. That means neither third parties nor WhatsApp’s employees can view your video calls. But unlike business apps, WhatsApp offers almost no chat and call security management options, only what’s built in.

Vulnerabilities and downsides

Just last year, attackers distributed Pegasus spyware through WhatsApp video calls. The bug was fixed, but remember, the app is not meant to offer business-class protection, so at the very least, users should follow cybersecurity news carefully.

Zoom

The cloud-based videoconferencing platform Zoom has been in the news since the beginning of the epidemic. Its flexible pricing (with free 40-minute conferences up to 100 participants) and user friendliness have attracted tons of users, but the platform’s foibles have also attracted tons of attention.

Security

The service complies with the SOC 2 international security standard, offers a separate HIPAA-compliant service plan for health-care providers, and has flexible configuration. Session organizers can block out participants even if they have the right hyperlink and password, ban recording, and more. If needed, Zoom can be set up in such a way that no traffic leaves the company.

Zoom has been actively addressing reported vulnerability issues, and the company says it plans to prioritize product security over adding new features.

Vulnerabilities and downsides

Zoom claims to have implemented end-to-end encryption, but the claim is not quite justified. With end-to-end encryption, no one other than the sender and the recipient can read transmitted data, whereas Zoom decrypts video data on its servers, and not always in your company’s home country, either.

Vulnerabilities of varying severity have been discovered in Zoom applications. Zoom’s Windows and macOS clients were reported to have a bug (already fixed) that let hackers steal the computer’s account data. Two more bugs in the macOS app potentially allow attackers to completely take over the device.

In addition, many reports surfaced of Internet trolls visiting open conferences, unprotected with passwords, to post dubious comments and share screens with obscene content. On the whole, you can fix the problem by configuring your conference properly, but Zoom has also added default password protection to be on the safe side.

Amid news of security issues in Zoom, large players have disparaged the service. But all services have vulnerabilities, and in Zoom’s case, explosive popularity has brought tremendous scrutiny.

Choose the app that suits you best

There is no such thing as a perfectly secure videoconferencing app — or any other kind of app, for that matter. Choose a service whose downsides are not problematic for your business. And remember, choosing the right app is only step 1.

  • Take the time to properly configure the service. Permissive settings have enabled many a leak.
  • Update your apps promptly to seal vulnerabilities as soon as possible.
  • Make sure your employees have at least basic safe Internet behavior skills. If not, arrange for a remote training class through our Kaspersky Automated Security Awareness Platform
Tips