Since the advent of Covid-19, many previously in-person activities have migrated online. From homeschooling children to large-scale working from home to keeping in touch with friends and family, we are increasingly reliant on the internet to stay connected, and that trend looks set to continue.
Video conferencing has been central to this. In April 2020, Zoom announced it had 300 million daily meeting participants, up from 10 million daily in December 2019 — a thirtyfold increase in just four months. The pandemic has seen the Zoom app become one of the most downloaded apps in recent months. Students, teachers, family members, businesses, and community groups of all sizes use video conferencing to carry out tasks and activities — and so too are high profile users like Alan Greenspan, the former US federal reserve chair, and Boris Johnson, British Prime Minister. But how secure are video chat services, and what can you do to stay safe?
Here, we explore the key issues related to video conferencing security and what you can do to ensure safe video calls.
How Safes Are Online Video Calls and Conference Calls?
The US government considers the remote-working trend to be a matter of national security, given the potential for hacking. The National Security Agency recently released an assessment of 13 of the most popular video-chatting tools.
Some of its grading criteria included:
- Does the service use end-to-end encryption, which limits the ability of others to spy or eavesdrop on the call?
- Does it use multi-factor authentication, an option that securely locks down user accounts?
- Is the technology based on publicly inspectable, open-source code that is considered more secure than inscrutable proprietary software?
- Does the tool share data with third-parties or affiliates?
- Can users securely delete data from the service and its repositories as needed (both client and server-side)?
You can read the full report here, but in essence, the NSA concludes that each video chat service has at least one security deficiency.
- Google G Suite and Microsoft Teams do not have end-to-end encryption and do not use open source code.
- Cisco WebEx, Zoom, Slack, and Skype for Business have sub-optimal data deletion policies.
- GoToMeeting has no multi-factor authentication option.
The NSA gave its highest scores to Facebook’s WhatsApp, Signal (whose code WhatsApp uses), and chat app Wickr. While the NSA’s report is not conclusive, it is a useful overview of the critical issues associated with video conferencing security and highlights that none of the products currently on the market check all boxes when it comes to ensuring safety.
Common Online Video Security Concerns
Common video conferencing security concerns include:
Is there end-to-end encryption?
That is, encrypted video conferencing, which secures communication so that it can only be seen by the users involved and nobody in between, not even the app itself.
Can video calls be intercepted and recorded by a third-party?
Can others spy on the call and potentially record it? Who can join your calls, and how might they go about getting in? As schools migrate to Zoom for online classes, privacy violations could raise child safeguarding concerns. Zoom meetings can be accessed by a short number-based URL, which can easily be generated and guessed by hackers.
How is your account data used?
To what extent is there adherence to privacy frameworks like Europe’s General Data Protection Regulation or California’s Consumer Privacy Act. How transparent are the apps with their users about what data is being collected and which third-parties can access that data?
Where is the data associated with your video app stored on….your computer or phone?
This is especially relevant if you are dealing with sensitive information and documents.
- On Skype, photos you receive are saved to your device unless you change this. (Go to Messaging in Settings on Android or iOS to configure the option.)
- If you download the chat log that goes alongside a video call on Zoom, it will also include any private, one-on-one chats between call participants. This could be a problem on work calls where you might be having a private conversation that you do not want anyone else to see.
Are there in-app surveillance measures?
For example, Zoom has been criticized for its “attention tracking” feature, which allows hosts to see if a user clicks away from a Zoom window for 30 seconds or more. This feature could enable employers to check if employees are really tuned in to a work meeting or if students are really watching a classroom presentation remotely.
Is there potential for inadvertently downloading malware that results in hacks?
For example, could users unknowingly download apps that gain access to the camera and microphone? The app/malware could give away personal information to a hacker who then leaks it.
On Zoom in particular: several Zoom security vulnerabilities have been reported in the past. For example, in 2019, it was revealed that Zoom had installed a hidden web server on user devices that could allow the user to be added to a call without their permission. Another bug enabled hackers to take over a Zoom user’s Mac, including tapping into the webcam and hacking the microphone. In response, Zoom has worked hard to address security concerns and provides regular updates on its company blog.
Examples of Online Video Hacks
One of the most talked-about examples of video hijacking recently is “Zoom bombings.” This is where hackers enter chat rooms shouting racist language or violent threats. While the term “Zoom bombing” is derived from the Zoom app, similar incidents have also taken place on other video conferencing platforms, including WebEx and Skype. On 30 March 2020, the FBI announced it was investigating increased cases of video hijacking.
In forums such as Reddit or Discord, there have been co-ordinated attempts to disrupt Zoom sessions. On Twitter, various accounts have advertised passwords for video conferences that were vulnerable to be being joined without permission. At some educational institutions, some students have promoted video hijacking as a way to disrupt online classes.
Compromised Zoom sessions — where uninvited users show up to hijack the meeting by saying things that are obscene, racist, or antisemitic, leading the host to shut down the session — are then shared by hackers on video sharing platforms like TikTok and YouTube.
In the past, simple Google searches for URLs that include “Zoom.us” could bring up conferences that are not password protected — making it easy for hackers to join uninvited.
While hijacked meetings are disruptive and disturbing for participants, a potentially more worrying threat is intruders who lurk in meetings without disclosing their presence — presenting serious risks for both corporate security and individual privacy.
Forbes recently reported on a hacker selling over 500,000 stolen Zoom credentials, including personal meeting URLs and Zoom host keys. A large proportion of these credentials were likely re-used passwords that hackers had obtained from elsewhere.
In response, Zoom stated that:
“We have already hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down thousands of websites attempting to trick users into downloading malware or giving up their credentials. We continue to investigate, are locking accounts we have found to be compromised, asking users to change their passwords to something more secure, and are looking at implementing additional technology solutions to bolster our efforts.”
How to protect your Zoom calls
While Skype is widely known and has been around for a while, and people were used to using FaceTime to video call their friends, the video conferencing app which has been most popular since the Covid-19 crisis started is Zoom.
The rapid rise in users has increased criticism that Zoom has not taken users’ video conferencing security concerns seriously. Zoom does not — as some users previously thought — have end-to-end encryption that has caused worry. Zoom has issued guides to locking down meetings in a blog post and a video, but that still places the burden on users to protect themselves.
Seven tips to help you protect your Zoom calls
- Lockdown the meeting room by using passwords and requiring authentication. That way, only the people you want are on the call. Remove unwanted or disruptive participants.
- Lockdown screen sharing. That way, only people you want can share their screen.
- Be careful about clicking on links and opening documents sent to you. Verify via another communication channel that the sender really did send the link or document to you.
- Be careful what you show in the background. For example, move any personal items or photographs of your children out of shot if you do not want those to be seen. Zoom also offers the chance to change the background behind you. (Other meeting apps — for example, Skype — give you the option to blur whatever is behind you.)
- Be careful what is on your screen before using the screen sharing function. For example, any other tabs or private chat windows that may be open or any documents that may display sensitive financial or personal information. Be careful about accidentally showing an item of mail with your address on it, or accidental close-ups of your ID, a credit card, or anything else you might not want a stranger to see.
- Check your settings. Some security settings are not enabled by default. Zoom has different settings for desktop and mobile — the desktop settings are more detailed and offer more control than the cell phone version. For example, hosts have more management tools, and users can only manage blocked accounts on the desktop.
- Keep an eye on news about app updates. Keeping up to date will give you a better idea of the various privacy and security features which are available.
How to Keep Your Video Chats Safe from Hackers
The specifics of exactly how to safeguard each video chat will vary from platform to platform, so it is important to familiarise yourself with your chosen platform’s details. That said, many of the broad principles are the same, regardless of which video chat app you use.
Here are some key tips for online video chat safety:
Watch what you are sharing
Be vigilant about what you share online, including what you say or do in video calls. Because of the risk of others obtaining a recording of the call or attending unannounced, be careful about what you reveal. Keep personal information to yourself unless strictly necessary.
Be careful who you share the invitation link with
Do not publicize it in public social media posts, group emails, online profiles, or anywhere others might see it. Invite attendees from within the conferencing software — and tell them not to share the link.
Set up alerts when meetings are forwarded
Establish alerts, so you know when meeting invites are forwarded by email to others. This way, you can check those additional invitees are legitimate and query the forwarding of the invite if not. If necessary, schedule a new meeting with new log-in details.
Pick a strong password
Most video calling apps give you the ability to protect your calls with a password. Pick a strong password and not one which is easily guessed. Use strong and different passwords for different apps and services.
Choose end-to-end encryption in your video conference tools
This ensures that no-one else can access your communications. The leading video apps with end-to-end encryption include:
Keep your software up to date
Update the apps regularly. When security vulnerabilities and privacy exploits show up, they usually appear in older, out-of-date versions of apps. Updates often include bug fixes and security patches that will fix issues and vulnerabilities. Keeping your video conference app updated is one of the best ways to stay secure against hackers (when a company issues a patch to fix a security flaw, it’s applied via an update). This is a security precaution you should apply across the board, not just with video chat and video conferencing apps. Keeping your apps and devices updated is straightforward on all major platforms. Most of the time, you don’t have to do anything except confirm the updates. Double-check that meeting participants are using the most up-to-date version available.
Lock meetings once all the participants have joined
However, if a valid participant drops out, be sure to unlock the meeting to let them back in and then re-lock it after they return.
The use of waiting room features in video conferencing software
Such features put participants in a separate virtual room before the meeting and allow the host to admit only people who are supposed to be in the room. The chairperson or host of the conference should control admittance. Invite each attendee to speak at the start of the call to identify any unknown attendees.
Know the rules
It pays to know the ins and outs of any video software before you use it, so do your research. Take the time to click through all the settings, check your user profile, and everything else you can access to see if there is anything you need to change. If something confuses you and you are not sure what to do, make a note and look it up later to see if you need to take any action.
Enable extra privacy features
It is always worth going through video chat settings yourself to see if there are extra privacy features you can enable.
- On Skype, you can choose whether other users can find you by phone number or email address.
- On FaceTime, you can control whether other people can find you via a phone number or an email address. If you do not want to be reached by long-lost school friends or distant relations, turning off this option can help.
- There is the Knock Knock feature on Google Duo, which shows your video feed to contacts when you call them before they pick up. If you are not comfortable with this happening, tap the three dots in the top right corner on the main Duo app interface, then Settings and Knock Knock to turn it off.
Always download apps from the official App Store
Learn how to identify fake apps. Check for ratings and user reviews and beware of apps from unauthorized websites.
Only chat with people you really know
Make sure the person you are video conferencing is trustworthy before you share anything private with them. Don’t accept chat requests or calls from non-friends. Don’t answer calls from unknown callers.
Set up multi-factor authentication
Doing this makes it harder for hackers to access a person’s devices or online accounts. This is because knowing the victim’s password alone is now no longer enough: they will need an extra PIN.
When you are not on a call, make sure the app is not running
Companies will spy on you whenever they can, so do not let them if you can help it. Cover your webcam when not in use and make sure you close the app/program down completely once you have finished using it.
Prevent the recording of meetings
Block any attendees except for the chairperson or host from recording the meeting or set up alerts to identify which attendee has started recording.
Turn off anything that gives the app too many permissions
For example, anything that might allow third-party information sharing and anything that claims to improve your experience by giving advertisers or partners access to your data. Turn off settings that enable strangers to find you, friend you, join your group or room, or message you. Toggle off anyone’s ability to record you. Use passwords on everything.
Do not use video on a call if you do not need to
Turning off your webcam and listening in via audio prevents possible efforts to learn more about you through background objects. Audio-only also saves network bandwidth on an internet connection, improving the overall audio and visual quality of the meeting.
If you are doing large calls, consider using webcast instead of video meeting capabilities
A webcast is a conference or presentation which is conducted online. Participants can watch the presentation and send questions to the speaker or engage other delegates. Webcasts give control only to the host and selected presenters and can help you keep better control of large meetings.
Be careful when using public Wi-Fi networks
The same features that make free Wi-Fi hotspots desirable for consumers make them desirable for hackers; namely, that it requires no authentication to establish a network connection. This creates an opportunity for the hacker to get unfettered access to unsecured devices on the same network. Take precautions while using them.
Do not give your phone to people other than people you trust
Someone with physical access to your phone can easily install hacking apps and cause trouble.
Remember: Hackers and Cybercriminals are opportunistic. So, the increased use of video conferencing means that it has become a target. As video call technology evolves, the main players will need to sustain their efforts to ensure safety for users.