Video conferencing is not safe for business - interview
The pandemic forced the world to reconsider the intricacies of video conferencing. Safety, however, scarcely had a place on the steep learning curve.
Many companies around the world were forced to adopt daily video conferencing in 2020. Even though the pandemic will eventually recede, and more people will return to their office-bound desks, the mass use of video conferencing platforms is here to stay.
Recent market research shows that the video conferencing market is expected to almost double in the coming years, with revenues exceeding tens of billions of dollars.
There's one thing lacking in the discussion about video conferencing through – safety. While Zoom bombing, unauthorized access to a private conversation, has made headlines, phishing campaigns based on a similar premise receive less attention.
According to George Waller, a Co-Founder and EVP of StrikeForce Technologies, since not a single video conferencing platform specializes in cybersecurity, virtually none of the services emphasize safety concerns.
"We started looking at the vulnerabilities and video conferencing, and we realized that there was a minefield of vulnerabilities in all these video platforms that people and companies use," Waller explained to CyberNews.
Recently, StrikeForce Technologies, together with Aite-Novarica, introduced one of the first sets of industry guidelines on data sensitivity classification and technology framework for locking down video conference security.
We sat down with Waller to discuss why businesses and individuals should guard video conferences and what dangers lie in having an unprotected video call.
Video conferencing is not a new technology. Why do you think there's an elevated need to safeguard video calls?
Before the pandemic, video conferencing really wasn't used to share corporate or personal data. But when the pandemic hit, video conferencing became part of the fabric of every company.
"The biggest threat vector of all is that none of them are addressing authentication."-George Waller, a Co-Founder and EVP of StrikeForce Technologies
We started looking at the vulnerabilities and video conferencing, and we realized that there was a minefield of vulnerabilities in all these video platforms that people and companies use.
Why do you think that is?
Because not a single one of the service providers is a cybersecurity company. They are video conferencing companies. And what they do, they do well. They do what they're supposed to do, but they're not companies that understand cybersecurity. They don't understand the threat vectors, they don't understand malware and how it can infiltrate a system.
The biggest threat vector of all is that none of them are addressing authentication. We realized that none of the video conference platforms require people who join a meeting to log into a portal with strong authentication. None of them do that.
That's a huge vulnerability. Because if I can get into your portal, I could see all your past meetings. If you are recording meetings, I can access all that data. I also have access to all the emails that you receive.
And if there's a database, independent from the video conference and manufacturer, I may have access to all of that, too. Threat actors could easily use that information for spear-phishing attacks or use other penetration methods.
Do you think threat actors could abuse the lack of authentication beyond credential-stealing?
We started looking further at video conferencing and tried to put ourselves in hackers' shoes. So we wrote some malware and managed to brute-force into one of our internal systems. And it turns out it's possible to take video recordings via most of the key video conferencing platforms.
We were able to capture video and audio. We also could get to the speakers and get the audio stream from the people at the conference speaking. That is different from the microphone audio. We were able to take anything typed on the keyboard as well, take screenshots, and take information from the clipboard.
If there are ten people in the meeting discussing a hostile takeover or a merger, having somebody listening on that is a major problem. And we realized that nobody was even looking at that.
Can you inject malware by only having an invite to call?
The answer is yes because threat actors can distribute malware via an invitation that's not a real invitation. If I can get someone's email, I can send them an email and say, 'Hey, here's a video conference. I need to have a meeting with you.'
People do not pick up the phone and say, 'Hey boss, did you send me a link?' Usually, if people receive a link from someone they think they know, they accept it. And as soon as you click on that link, threat actors can exploit your machine.
"People do not pick up the phone and say, 'Hey boss, did you send me a link?' Usually, if people receive a link from someone they think they know, they accept it."-George Waller, a Co-Founder and EVP of StrikeForce Technologies
Do you think threat actors often try to compromise video conferences for nefarious purposes?
Video conferencing is being compromised on almost a daily basis. Threat actors are not necessarily breaching your network. They're breaching a system that you will use to discuss sensitive information.
The term 'Zoom bombing' even entered the English language. And sure, right now, most people have been going on there spouting nefarious claims, bigotries or racism, or something like that. However, they're in your system, and they're watching you.
If you have a lot of windows in the conversation, you might not be paying attention, especially when people have their cameras turned off.
Could you tell a little about whether there were any cases where hackers significantly damaged a business or an individual due to a breached video conference?
I wouldn't go into specifics, but breaches happen every day to video conferencing systems. The thing is, we hear about the Zoom bombings. However, you don't know when data gets stolen out there by malware. Most companies don't know that they've been breached until the data gets out there.
That's happening through malware, whether it's to breach the company or the cloud storage provider. Someone's breaching that virtual perimeter, gaining access to key corporate data and key information.
Whether it's to a credit card database, the database for the active directory for your company, directory or intellectual property secrets, whatever. And with video conferencing, they're watching what you're saying, watching what you're seeing and hearing. That is happening.
More from CyberNews:
Subscribe to our newsletter