Since the advent of Covid-19, many previously in-person activities have migrated online. From homeschooling children to large scale working from home to keeping in touch with friends and family, we are increasingly reliant on the internet to stay connected, and that trend looks set to continue.
Video conferencing has been central to this. In April 2020, Zoom announced it had 300 million daily meeting participants, up from 10 million daily in December 2019 — a thirtyfold increase in just four months. The pandemic has seen the Zoom app become one of the most downloaded apps in recent months. Students, teachers, family members, businesses, and community groups of all sizes use video conferencing to carry out tasks and activities — and so too are high profile users like Alan Greenspan, the former US federal reserve chair, and Boris Johnson, British Prime Minister. But how secure are video chat services, and what can you do to stay safe?
Here, we explore the key issues related to video conferencing security and what you can do to ensure safe video calls.
The US government considers the remote-working trend to be a matter of national security, given the potential for hacking. The National Security Agency recently released an assessment of 13 of the most popular video-chatting tools.
Some of its grading criteria included:
You can read the full report here, but in essence, the NSA concludes that each video chat service has at least one security deficiency. For example:
The NSA gave its highest scores to Facebook’s WhatsApp, Signal (whose code WhatsApp uses), and chat app Wickr. While the NSA’s report is not conclusive, it is a useful overview of the critical issues associated with video conferencing security and highlights that none of the products currently on the market check all boxes when it comes to ensuring safety.
Common video conferencing security concerns include:
That is, encrypted video conferencing, which secures communication so that it can only be seen by the users involved and nobody in between, not even the app itself. To find out more about data encryption and how it works, read our ‘What is data encryption’ article.
Can others spy on the call and potentially record it? Who can join your calls, and how might they go about getting in? As schools migrate to Zoom for online classes, privacy violations could raise child safeguarding concerns. Zoom meetings can be accessed by a short number-based URL, which can easily be generated and guessed by hackers.
To what extent is there adherence to privacy frameworks like Europe’s General Data Protection Regulation or California’s Consumer Privacy Act. How transparent are the apps with their users about what data is being collected and which third-parties can access that data?
This is especially relevant if you are dealing with sensitive information and documents.
For example, Zoom has been criticized for its “attention tracking” feature, which allows hosts to see if a user clicks away from a Zoom window for 30 seconds or more. This feature could enable employers to check if employees are really tuned in to a work meeting or if students are really watching a classroom presentation remotely.
For example, could users unknowingly download apps that gain access to the camera and microphone? The app/malware could give away personal information to a hacker who then leaks it.
On Zoom in particular: several Zoom security vulnerabilities have been reported in the past. For example, in 2019, it was revealed that Zoom had installed a hidden web server on user devices that could allow the user to be added to a call without their permission. Another bug enabled hackers to take over a Zoom user’s Mac, including tapping into the webcam and hacking the microphone. In response, Zoom has worked hard to address security concerns and provides regular updates on its company blog.
One of the most talked-about examples of video hijacking recently is “Zoom bombings." This is where hackers enter chat rooms shouting racist language or violent threats. While the term "Zoom bombing" is derived from the Zoom app, similar incidents have also taken place on other video conferencing platforms, including WebEx and Skype. On 30 March 2020, the FBI announced it was investigating increased cases of video hijacking.
In forums such as Reddit or Discord, there have been co-ordinated attempts to disrupt Zoom sessions. On Twitter, various accounts have advertised passwords for video conferences that were vulnerable to be being joined without permission. At some educational institutions, some students have promoted video hijacking as a way to disrupt online classes.
Compromised Zoom sessions — where uninvited users show up to hijack the meeting by saying things that are obscene, racist, or antisemitic, leading the host to shut down the session — are then shared by hackers on video sharing platforms like TikTok and YouTube.
In the past, simple Google searches for URLs that include "Zoom.us" could bring up conferences that are not password protected — making it easy for hackers to join uninvited.
While hijacked meetings are disruptive and disturbing for participants, a potentially more worrying threat is intruders who lurk in meetings without disclosing their presence — presenting serious risks for both corporate security and individual privacy.
Forbes recently reported on a hacker selling over 500,000 stolen Zoom credentials, including personal meeting URLs and Zoom host keys. A large proportion of these credentials were likely re-used passwords that hackers had obtained from elsewhere.
In response, Zoom stated that:
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
While Skype is widely known and has been around for a while, and people were used to using FaceTime to video call their friends, the video conferencing app which has been most popular since the Covid-19 crisis started is Zoom.
The rapid rise in users has increased criticism that Zoom has not taken users’ video conferencing security concerns seriously. Zoom does not — as some users previously thought — have end-to-end encryption has caused worry. Zoom has issued guides to locking down meetings in a blog post and a video, but that still places the burden on users to protect themselves.
The specifics of exactly how to safeguard each video chat will vary from platform to platform, so it is important to familiarise yourself with your chosen platform's details. That said, many of the broad principles are the same, regardless of which video chat app you use.
Here are some key tips for online video chat safety:
Be vigilant about what you share online, including what you say or do in video calls. Because of the risk of others obtaining a recording of the call or attending unannounced, be careful about what you reveal. Keep personal information to yourself unless strictly necessary.
Do not publicize it in public social media posts, group emails, online profiles, or anywhere others might see it. Invite attendees from within the conferencing software — and tell them not to share the link.
Establish alerts, so you know when meeting invites are forwarded by email to others. This way, you can check that additional invitees are legitimate and query the forwarding of the invite if not. If necessary, schedule a new meeting with new log-in details.
Most video calling apps give you the ability to protect your calls with a password. Pick a strong password and not one which is easily guessed. Use strong and different passwords for different apps and services.
This ensures that no-one else can access your communications. The leading video apps with end-to-end encryption include:
Update the apps regularly. When security vulnerabilities and privacy exploits show up, they usually appear in older, out-of-date versions of apps. Updates often include bug fixes and security patches that will fix issues and vulnerabilities. Keeping your video conference app updated is one of the best ways to stay secure against hackers (when a company issues a patch to fix a security flaw, it’s applied via an update). This is a security precaution you should apply across the board, not just with video chat and video conferencing apps. Keeping your apps and devices updated is straightforward on all major platforms. Most of the time, you don’t have to do anything except confirm the updates. Double-check that meeting participants are using the most up-to-date version available.
However, if a valid participant drops out, be sure to unlock the meeting to let them back in and then re-lock it after they return.
Such features put participants in a separate virtual room before the meeting and allow the host to admit only people who are supposed to be in the room. The chairperson or host of the conference should control admittance. Invite each attendee to speak at the start of the call to identify any unknown attendees.
It pays to know the ins and outs of any video software before you use it, so do your research. Take the time to click through all the settings, check your user profile, and everything else you can access to see if there is anything you need to change. If something confuses you and you are not sure what to do, make a note and look it up later to see if you need to take any action.
It is always worth going through video chat settings yourself to see if there are extra privacy features you can enable.
Learn how to identify fake apps. Check for ratings and user reviews and beware of apps from unauthorized websites.
Make sure the person you are video conferencing is trustworthy before you share anything private with them. Don’t accept chat requests or calls from non-friends. Don’t answer calls from unknown callers.
Doing this makes it harder for hackers to access a person's devices or online accounts. This is because knowing the victim's password alone is now no longer enough: they will need an extra PIN number.
Companies will spy on you whenever they can, so do not let them if you can help it. Cover your webcam when not in use and make sure you close the app/program down completely once you have finished using it.
Block any attendees except for the chairperson or host from recording the meeting or set up alerts to identify which attendee has started recording.
For example, anything that might allow third-party information sharing and anything that claims to improve your experience by giving advertisers or partners access to your data. Turn off settings that enable strangers to find you, friend you, join your group or room or message you. Toggle off anyone’s ability to record you. Use passwords on everything.
Turning off your webcam and listening in via audio prevents possible efforts to learn more about you through background objects. Audio-only also saves network bandwidth on an internet connection, improving the overall audio and visual quality of the meeting.
A webcast is a conference or presentation which is conducted online. Participants can watch the presentation and send questions to the speaker or engage other delegates. Webcasts give control only to the host and selected presenters and can help you keep better control of large meetings.
The same features that make free Wi-Fi hotspots desirable for consumers make them desirable for hackers; namely, that it requires no authentication to establish a network connection. This creates an opportunity for the hacker to get unfettered access to unsecured devices on the same network. Take precautions while using them.
Someone with physical access to your phone can easily install hacking apps and cause trouble.
Remember: hackers and cybercriminals are opportunistic. So, the increased use of video conferencing has meant that it has become a target. As video call technology evolves, the main players will need to sustain their efforts to ensure safety for users.
You can stay safe by using Kaspersky’s Antivirus protection, which guards you against viruses on your PC and Android devices, secures and stores your passwords and private documents, and encrypts the data you send and receive online with VPN.