Safe Videoconferencing

Introduction

Business communication has considerably changed in the past few years and in many areas it already is pretty common to send a quick chat message instead of writing an email or calling someone, but videoconferencing still was a limited occurrence for most users. Now with the COVID-19 pandemic restrictions basically everyone has come across videoconferencing one way or another. For many employees, it quickly became a regular communication channel to replace the face-to-face contact with other colleagues, especially for the education sector where communication not only between employees, but also with students is a very important aspect. The sudden need for additional technologies and resources for video communication forced many institutions to come up with viable solutions in a very short time. Often different solutions were set up and used in parallel, each with their own features, but also flaws, making it difficult for administrators as well as users alike to stay informed and safe.

This article tries to shed some light on the topic of safe videoconferencing from different perspectives. For one thing from the user’s point of view, where it sometimes it is not as straight forward as it seems to keep sensitive information out of a video chat. On the other side, from the administrator’s, or in general the institution’s, point of view, where it comes to providing a secure service for their users.

Safe Usage

Many solutions make it pretty simple to start a video chat, but warnings about possible security implications from using them are rare. You sit down in front of your webcam, accept the video call and your screen fills with lots of faces, some obviously working from home, some from their office, some seem to work from a tropical beach or even a space-station. Technology sure can be magical! But have you checked what else is visible on your video stream? Accidental exposure of sensitive information on video can be a common pitfall and happens more often than you think. A famous example could be a typical whiteboard in the background with some drawings and notes spread around on it. Maybe someone wrote down their password or sensitive details about a network structure or system? Not as easy to spot but also possible could be reflections on certain surfaces, like mirrors or glass, exposing the user’s screen or items on their desk. Sensitive business information is one thing, but also details about one’s private life could be accidentally revealed that way. For safe video calls plain backgrounds should be used and always checked for items that could be too revealing.

But wait, what about working from a tropical beach? Yes, virtual backgrounds can be used to hide the real background but without a professional setup this can lead to a false sense of safety. The techniques used to replace the background are mostly based on chroma key compositing, often called green screen technique. It is based on the differences in colour hues between the user and the background. If the background does not uniformly have the same colour hue, the algorithm cannot reliably distinguish between certain elements and can accidentally display parts of the background. This sometimes can be seen when parts of clothing with a similar colour hue are suddenly replaced.

Another way to accidentally share sensitive information is via screen sharing. Since sharing your screen during a videoconference is often necessary or at least very useful on many occasions, just make sure that you do not share more than what you’d like to share. One way to avoid accidentally sharing stuff is sharing just one window and not the whole screen. If this is not reliable and you need to share the whole screen, close all windows which could leak information or move them to a different monitor. It can be a good idea to check your background and task bar for things you do not want to show to other people and switch notifications off before sharing your screen.

Many videoconferencing tools also include some form of chat. Like with any online chats copy and paste can be useful; just make sure that you don’t accidentally paste sensitive data, e.g. passwords, into the chat.

Another thing you should always be aware of is that a videoconference could be recorded at any time. Some tools inform all participants when a recording is started; but a local recording by an arbitrary participant can be started at any time without notification. Of course, this is not appropriate behaviour, but there is no technical way to avoid such recordings on some participating client. Keep in mind that this also applies for chat messages. On the other hand, if you ever want to start a recording (locally or via the conferencing software) of audio, video or even the chat log, you should definitely ask the other participants for their consent.

When joining a videoconference often your camera and microphone are deactivated at the beginning. This is a good way to give all participants control over when they want to start sharing audio and video with other people in the conference. But be careful - you can’t rely on this behaviour. Sometimes conferencing tools are not configured this way and your camera and microphone are automatically activated when you join a meeting. So just make sure that you are ready, fully dressed and not chewing the rest of your lunch when joining the meeting. You can also cover your camera and mute your mic in the operating system to generally avoid this problem.

If the conferencing tool offers some filesharing options you should definitely be careful with downloading and opening stuff shared during a conference. Just think of the files being the attachment of an email from an unknown sender and treat them accordingly.

You survived a videoconference and everything went well? Congratulations! Just make sure you really left the conference and video and audio is no longer shared before enjoying your well-deserved pizza for lunch or starting some personal conversation with a colleague or family member.

Hosting Videoconferences

If you are not only a participant but the host of a videoconference, there are some additional things to keep in mind:

The first decision to make is which conferencing tool or platform you want to use. This of course depends on which tools are available in the given setting. Generally, it is a good idea to choose a solution which is offered and commonly in use by your organisation. Some tools are more suitable for big audiences, while others may offer better security options. If you are unsure which tool to use for hosting a conference, your local admin may give you some advice. They can also help you with the configuration of the meeting, e.g. setting room passwords or muting all participants by default.

Make sure to secure your meetings with password protection or moderated entry when you are the one hosting, so only legitimate users may enter. Keep in mind that the all-time favourites “password” and “12345” are no good way to protect your meeting - better use some random string. It also can be a good idea not to use one password for all of your meetings and conferences but to generate them individually.

When distributing invitations to the conference you are hosting, make sure not to embed them in a wider context to avoid accidental sharing of login information (e.g. do not distribute them in a monthly newsletter).

If your meeting has especially sensitive or even classified content, you should review all participants and make sure nobody has sneaked in.

It also can be an extremely good idea to make some technical check-ups before hosting your videoconference. Just make sure all settings apply as expected, e.g. no one can enter the meeting without a password and screen sharing shows only what should be shared to participants.

Administrators’ Troubles

At the beginning of the pandemic the need for videoconferencing solutions gave many administrators and institutions a lot of headache. Organisational and different technical aspects alike can be obstacles.

Choosing the Right Solution

As with any other product many different aspects need to be kept in mind when choosing and setting up a new solution. With communication tools especially, data-protection and security aspects play a big role, as secure and reliable communication channels are very important nowadays. With that said, many institutions had a hard time choosing between local and open source, but often less user-friendly solutions, e.g. Big Blue Button or Jitsi, and cloud-hosted solutions with multiple nice features from the big players on the market, e.g. Microsoft Teams, Webex or Zoom.

It is difficult to recommend a specific solution here because it mostly depends on the use-case, but institutions should always keep in mind that there are trade-offs between solutions. Cloud-hosted solutions are easily accessible from everywhere and often offer high performance. But on the other hand, it is very difficult to know what happens with sensitive data that gets transmitted and stored. This can sometimes become a problem with strict regulations, especially when servers are hosted in other countries. Local solutions allow for better control over transmitted data and give full control of the data stored on the server. Even though many open source solutions improved their usability and performance in the last few months, they often still are not on par with commercial solutions.

Depending on the use-case, the existence of certain security functions should be checked. For best security a solution supporting full end-to-end encryption (E2EE) should be used, this can mitigate the problem of data getting transmitted over untrusted servers. But also viable functions to secure access to meetings and moderate them, especially for larger groups of attendees, can be necessary and should be tested before deciding on a final solution. It is very important to clarify what kind of solution is needed, carefully choose one and in the end convince users to stick to this solution, actually this can be the hardest part.

Secure Configuration

As with any other service an institution offers, a secure configuration, that is still usable by regular users, needs to be found. Many solutions offer a large variety of configuration options that should be carefully reviewed before opening the service for your userbase. In some cases security related options are disabled by default, which can put users at risk without them even knowing. If possible, settings such as end-to-end encryption (or at least transport encryption), automatic setting of passwords for new meetings, moderation features or even simple options such as deactivated microphones and webcams when joining meetings should be enabled for all users by default. This can make it a lot easier for users to host secure videoconferences. When it comes to encryption settings it should be checked that all transmitted data is encrypted and not only some parts, e.g. the text chat. It can also be useful to disable certain features in general, like file transfers or recording, to reduce the attack surface when they are not needed.

Users should be informed about the available functions and configuration options they can use in order to host videoconferences. Tutorials can be really helpful to show users how to work with the new solution and which steps need to be taken. If certain restrictions apply, like only internal availability through a VPN or the need to use a proxy server, users need to be taught how to use those functions as well.

Networking Problems

Setup of a new videoconferencing software can be a difficult task for network administrators as well. There are lots of different protocols that come into play, not only between different solutions but also for different steps during a videoconference. As long as users are directly connected to the internet those protocols work as intende, but in most institutions traffic is routed through firewalls and NAT gateways to secure internal systems from external access, but to also allow internal systems to communicate with the outside. This usually restricts certain protocols from working out of the box and needs additional techniques, like STUN and TURN, to get it working properly. The problem at this point is, that such changes in network configuration, especially when opening ports to locally hosted videoconferencing solutions, can lead to a larger attack surface and open up new vulnerabilities. Depending on how strict local network security configuration is, it can be quite difficult to strike a balance between usability and security.

Many solutions nowadays therefore use HTTPS for everything instead of peer-to-peer (P2P) connections between the attendees of a videoconference, which resolves many problems. In those cases all the data is usually transmitted through some servers that belong to the videoconferencing solution. In most cases users can establish HTTPS connections to external services in order to view websites, so there is no need to add rules for additional protocols or to expose certain ports to the internet directly. The downside here is that all traffic needs to be handled by a server and run through it. This can need a lot of processing power and also could enable the recording of audio and video if no end-to-end encryption is used.

Attacks on Videoconferencing Software

Videoconferencing software is still software: it consists of thousands to millions lines of code – each prone to failure – and with the rise of conferencing solutions the interest in vulnerability research for this topic rose as well. Whenever a native client software is run on your system which processes untrusted data there is potential for disaster. The bigger names have all been hacked in public at competitions like Pwn2Own in the past and more often than not the client software could be utilised to fully compromise impacted systems. Of course, this is just the tip of the iceberg and a lot, if not most, of the research targeting vulnerabilities in such widespread software is not done in public. There is a market for vulnerabilities that are unknown to vendors (0-Days) fuelled by nation-state actors, so as long as programs like Pegasus (NSO) or the German Staatstrojaner remain lawful or are actively pursued, security researchers can always opt to quietly cash out instead of making their research public.

Sometimes there are security problems with feature implementations as well. Zoom famously made the entire screen available to other participants for some milliseconds (i. e. transmitted and hence recoverable frames) when users only wanted to share part of the screen. Muting oneself in Big Blue Button would still record and transmit audio to the server. Microsoft Teams allowed malicious actors to steal emails, messages and files of other members of their organization via a feature called Power Apps applications. The list goes on.

So there is a case to be made for using conferencing tools only via the browser. However, this usually goes in line with lack of special features such as screen sharing or lack of conveniences, like the grid view of the audience, and can have performance implications as well. Browsers have become a lot better in handling several simultaneous multimedia streams during the pandemic, but sending video data and receiving a lot back can still severely impact the available system resources. And ultimately, browsers are software after all as well. Whether a browser or a dedicated client software is used, regular installation of updates is really important when it comes to communication solutions because they are used by many different and maybe untrusted users.

Zoom-Bombing

During the early days of the pandemic another problem frequently showed up in a lot of online meetings. Unpleasant surprise visits by non-invited actors lead to the fast adoption of password protected meeting rooms and lobbies, where participants had to wait until the host approved their attendance manually. Such events have become much rarer lately and research suggests that the majority of calls for zoom-bombing are made by insiders rather than attackers who obtained invitations illegally or guessed meeting password. This makes password protection and lobbies – at least for meetings where the host does not know all participants by face or name – less effective and the only viable solutions seems to be sending out unique links for each participant, so that access can be easily revoked upon compromise.

Addendum

Recently the German BSI published a minimum standard for videoconferencing software (only available in German).

Dustin Gawron (WWU-CERT), Martin Waleczek (DFN-CERT), Vanessa Weidler (RUS-CERT)
ursprünglich veröffentlicht im Rahmen des European Cyber Security Month unter https://connect.geant.org/2021/10/26/safe-videoconferencing-part-1 bzw. https://connect.geant.org/2021/10/27/safe-videoconferencing-part-2