You are here

Video Conferencing Apps: A New Playground for Cyber Criminals

Ms Kritika Roy is a Threat Intelligence Researcher at DCSO Deutsche CyberSicherheitsorganisation, Berlin, Germany.
  • Share
  • Tweet
  • Email
  • Whatsapp
  • Linkedin
  • Print
  • April 11, 2020

    The Covid-19 outbreak has curbed the movement of more than half of the world’s population. This has pushed the working population to become remote workers, many for the first time. The sudden spike in people working from home has led to an increase in demand for videoconferencing apps, chat systems and online collaboration tools. Today, business conferences are being held online, schools and universities are conducting online classes, and even yoga sessions are being held online.  Notably, government meetings too have shifted to the online mode. The United Kingdom Government has been holding its daily cabinet meetings online while India has held a video conference with South Asian Association for Regional Cooperation (SAARC) leaders to brainstorm means to curb the spread of Covid-19.1

    It will not be an exaggeration to say that it took a global scale disease outbreak to shift people from talking about digitalisation to actually imbibing digital models in their conventional workspaces. What we are, therefore, witnessing today is a truly digitalised world.  However, this has also led to the rise of a plethora of opportunities for malicious actors to exploit the existing vulnerabilities.

    Dark Side of Video Conferencing Apps

    Many of these online tools have been available for a long time even though they were rarely fully employed. However, the sudden surge in usage of different online platforms like Zoom, Classroom, Slack, Cisco WebEx, etc., for taking classes or conducting online meetings has exposed the dark side of several of these applications. There has been a mass adaptation of online platforms without giving much consideration to the security settings of these platforms. This has paved the way for cyber criminals to take advantage of loopholes for malicious purposes.

    Educational apps and student online programmes track students’ every response, thereby developing a profile-based understanding of each student. This has forced many users to demand more accountability and transparency from software developers, particularly when many apps sell data to third party data brokers for unspecified uses.2 While the major concern of the educational institutions remains the privacy and security of students’ data, it is the businesses which have a lot more to fear and lose. Last year, Slack listed a litany of cyber security related threats, including the traditional hacking techniques of malware, ransomware, password spraying3, phishing, credential stuffing and Denial of Service Attacks (DoS).4

    ‘ZOOMING’ Out in Popularity and Vulnerabilities

    Zoom Video Communications, a California based company, provides a remote conferencing service that combines online meetings, video conferencing, chats and mobile collaborations.5 With the  ongoing endeavour of social distancing and working from home gaining traction, Zoom has seen a considerable uptick in its usage as well as breaching attempts.6 With a new found celebrity status among the video conferencing applications, it  now  faces a  massive privacy and security threat as the platform’s default settings are not secure enough.

    Last year, Zoom’s web server was quietly removed from Macs over a serious vulnerability issue that “allowed any website to open up a Zoom conference call on your computer automatically with the webcam on. Even if the Zoom application was uninstalled, the web server persisted on the machine and it could reinstall the application automatically.”7 In 2020, a research published by Checkpoint - a cyber security company - stated that Zoom has witnessed an exponential rise in malicious domain registrations.8 It was also reported that the hackers have discovered a technique to identify and join active Zoom Meetings.9 This phenomenon has been tagged as “Zoombombing”10, wherein nefarious actors may join calls and broadcast porn or prank videos. The Boston office of the Federal Bureau of Investigation (FBI) has warned against Zoom, cautioning individuals from making meetings on the site public or sharing links after it received two reports of anonymous individuals disrupting school sessions.11

    Privacy has been another major concern among users. In March 2020, Zoom was sued for illegally disclosing personal data to Facebook and other third parties.12 Zoom clarified in its statements that it has removed the code that sent data to Facebook. However, this was not the end of Zoom’s troubles. The company has had to update its privacy policy which earlier allowed it to collect data and transcripts from users’ meetings via the software’s chat feature in order to target ads at the users.13 The new privacy policy published by the company articulates in detail the kind of data being collected. This includes the user name and phone numbers.14 Nevertheless, the new policy did not provide clarity on whether any kind of facial data or video footage is being stored for artificial intelligence (AI) and object recognition training.

    Zoom also claims that it implements end-to-end encryption (E2E) for video and audio content. E2E is understood as the most discreet form of internet communication, protecting conversations from any external interception including the host platform.15 However, the connection between the Zoom app running on a user’s system or phone and Zoom’s server is encrypted similar to the connection between a user’s web browser and this article is encrypted. This form of encryption, called transport encryption, is different from E2E because the Zoom service itself can access the unencrypted video and audio content of the Zoom meetings.16

    With the government and businesses holding meetings on the Zoom platform, there has been a constant fear of espionage and violation of privacy. Several organisations and companies like the National Aeronautics and Space Administration (NASA) and SpaceX have issued advisories to their employees to use more traditional means of communication like email, text or phone to interact with each other.17 In order to allay these fears, Zoom has recently committed to human rights group Access Now’s open letter to publish “a transparency report that details information related to requests for data, records and content.”18

    India’s Response

    The Indian Computer Emergency Response Team (CERT-In) has warned of the dangers of unprotected use of this digital platform, given its susceptibility to cyberattacks, including pilferage of sensitive data. In a reported incident, Broadcast Audience Research Council (BARC), while hosting a virtual conference of about 600 people via Zoom on television and smartphone consumption trends, was forced to stop the briefing midway because of a hacking incident.19

    In this context, India’s national cybersecurity agency has released an advisory to secure communications while using the app. It includes:

    • Keeping the Zoom software patched by its regular updation.
    • Using strong and difficult-to-guess passwords for all meetings and webinars, and locking the meeting session once all attendees have joined.
    • Enabling the waiting room feature, for meetings involving discussion of sensitive information, so that the host can have control over the participants.
    • Restricting the call record feature to trusted participants only and limiting screen sharing to the host only.
    • Restricting or disabling file transfers – unless essential – and ensuring that removed participants are unable to re-join meetings.20

    Securing the New Normal

    Businesses and educational institutions have always preferred time-tested traditional methods of face-to-face meetings, classroom teaching modules, and paper-pencil mechanisms. However, today, the disruptions caused by the pandemic have compelled them to reassess their options and adopt online applications while often overlooking its security aspects. Invariably, this has led to an increase in cybercrimes since the outbreak of Covid-19 and specifically in phishing attacks in most of the leading communication application.

    In this context, the adage that “if it is free, you are probably the product” should act as a motivation for individuals to examine the privacy policy of any particular app. This can help one verify the app’s motive of collecting, selling or sharing one’s data and whether it is being used for funding the provision of its ‘free’ service. The examination of the privacy policy should, therefore, be accorded primary importance. Additionally, encryption and password-protection should always be the first line of defence wherever possible.

    It is likely that the ongoing churnings will bring about a pervasive change in the way people live and work. Video conferencing apps are a great tool to conduct meetings and conferences online, while saving up significantly on travel time and costs. It may, therefore, become the new normal. However, concerns about security are legitimate and should be given due consideration.

    Views expressed are of the author and do not necessarily reflect the views of the Manohar Parrikar IDSA or of the Government of India.