Author: Barry Leiba, M3AAWG Senior Technical Advisor
With essentially everyone working from home and all meetings cancelled, we're all relying more heavily than ever on teleconferencing systems. Not surprisingly, attackers are taking advantage of that situation by hacking into our teleconferences and the systems that support them, and the new media is full of reports of various vulnerabilities, including security and privacy issues. Some reports go as far as advising against use of one or more teleconference tools.
What should we do?
First, as Douglas Adams wrote in "The Hitchhiker's Guide to the Galaxy": Don't panic. As with everything else related to security, it's important to take a broad view and look at the issues carefully before making any decisions. I can't advise about any specific teleconference systems here, but I'll give some good general advice on how to do the necessary analysis.
It's important to keep in mind that the more popular and widely used any online system is, the more heavily it's attacked. Looking solely at the number of vulnerability reports can be misleading. More important are the specific issues involved, as well as how the service provider is responding. Are they accepting the reports, owning the problems and getting fixes distributed and installed? Or are they denying that there are problems and saying everything's fine?
Constantly ask yourself what your meeting usage needs and threat models are and understand how vulnerabilities might fit within those. If you're using teleconferencing for private company meetings where you'll discuss corporate secrets, your tolerance for exposure will be different from usage for public standards discussion, and that will be different still from having an online "happy hour" where you're discussing craft beer and reality television. Be sure to keep your usage in mind as you evaluate.
Can the exposures you care about be mitigated by changing the configuration from the default? Remember the security maxim, the "principle of least privilege," and don't allow participants in your teleconferences to do things it isn't necessary for them to do. Limit access only to the meeting host and allow the meeting host to distribute control as needed.
A few other tips to consider to support safe teleconferencing:
- Do put passwords on your conferences if you care about who joins. It's easier to let people join without a password, but attackers have been successfully joining arbitrary teleconferences, uninvited, by brute-force guessing meeting numbers -- the typical 9- or 10-digit meeting numbers simply don't have enough entropy to protect against that.
- Alternatively, if your usage model involves small calls with just a few people, watch for interlopers and throw them off the conference. Using a password is better, but you might need to do this anyway, so it's always a good idea to watch for unknown participants.
- Consider disabling the ability for participants to join before the host does. Doing so will make sure that no one is on the conference until there's a host there to maintain control.
- Consider requiring the host to individually approve each participant before they can actively join. This is a big security improvement, but it can also be a big inconvenience, so do balance it against your usage and privacy needs.
- Limit features such as file sharing and screen sharing / presenting to the host only. Then have the host assign such rights to individuals only as needed. That will prevent free distribution of malware as well as disruption of your conference.
- If you're using the conferencing system to make recordings of your meetings, find out where and how those recordings are stored, and make sure that the security of the recordings meets your needs. Are they encrypted on the provider side? Are they deleted after you download them? If not, how long are they kept?
Modern teleconferencing systems provide an enormous benefit, allowing anyone to have audio and video meetings online. But, as with any online system, we have to choose them and use them responsibly, and the service providers have to maintain and manage them responsibly.