Quick links:
Messaging and videoconferencing solutions remain vulnerable to cyber attacks
It will soon be three years since the Covid-19 epidemic, and with it the generalization of telecommuting. Today, what we refer to as hybrid work means that some people stay at home or move to another part of the country, while others work in the office or in public places. Work is now made possible everywhere. And the fundamental tools that have enabled this development are instant messaging and videoconferencing. In fact, they enable us to connect with everyone: employees, suppliers, partners, customers, and everywhere, informally and formally. But this is not without risk, as some solutions are vulnerable to cyber attacks. These solutions concentrate millions of items of information: video streams, chat systems and file exchanges. Securing this data is a major cyber security issue for users and customers of these solutions.
Threats and vulnerabilities in messaging and videoconferencing applications
There has been an increase in threats to messaging and videoconferencing applications: Bombing meetings, passive eavesdropping, data leaks, industrial espionage... including on tools that are totally free or with additional subscriptions: Skype, WhatsApp, WebEx, Teams, Hangouts, Vidyo, Zoom... Even industry professionals acknowledge this in an Aite-Novarica Group study on videoconferencing security; 93% of professionals surveyed admitted to gaping security vulnerabilities and risks in their videoconferencing solutions.
“Free” applications are paid for by online or offline advertising, the use of personal data, or the collection of other data such as IP addresses, device identifiers, cookies, etc. Some also obtain personal or confidential information by monitoring conversations. The lack of controlled access to conversations in certain applications is a major risk and can lead to disruption, sabotage, compromise or disclosure of sensitive information.
As we cited in the Digital sovereignty: A major challenge for your communications and data article, one of the risks in using American solutions such as Skype, Zoom, Teams, lies in the national laws to which they are subject: the Patriot Act and CLOUD Act. Microsoft acknowledged that its European customers' data could be transferred to the United States, without consent or notice to users, under the Patriot Act. Even the big players in videoconferencing contain threats and vulnerabilities. For example, in 2022, Zoom discovered a chain of vulnerabilities in its chat feature that could be exploited to enable clickless remote code execution (RCE). Concerning Microsoft Teams, Vectra discovered unencrypted authentication tokens in the storage, allowing any user to access secret documents without the need for special authorizations.
Finally, the globalization of telecommuting has led to an increase in phishing and social engineering attacks directly on videoconferencing and messaging solutions. In organizations where many employees work remotely, sometimes even entirely, not all teams know each other. Cyber criminals don't hesitate to take advantage of this and trick employees via fraudulent e-mail attacks, posing as an employee or manager to retrieve sensitive or financial information.
A worrying new threat
In a bid to cut costs, many organizations are implementing a new trend: BYOD, or Bring Your Own Device, to encourage employees to use their personal devices (phone, laptop, tablet) rather than those provided by the organization. Benefits include comfort, ease of use, increased productivity, simplified on-boarding and off-boarding of employees, cost reduction for the organization, and development of a sustainable approach... However, the proliferation of personal devices makes it more difficult for IT departments to secure networks and devices. These new access points can be exploited to create new cyber risks.
Letting a personal device access and store corporate data can lead to potential breach of sensitive data, particularly in the event of loss or theft of the device and the inability to remotely delete data hosted on the device or in applications. Personal devices may also lack security features such as firewalls, antivirus and encryption. These devices are vulnerable to compromise and attacks and can be a gateway to the entire corporate network. Cyber attacks are easier to carry out, harder to detect and harder for IT departments to remediate. Finally, installing personal applications (social networks, games, etc.) alongside professional or business applications increases the risk of exposure to malware.
How to increase protection and limit vulnerabilities in messaging and videoconferencing applications
Relevant authorities have shared recommendations for dealing with these risks. The first thing to do when choosing a videoconferencing tool is to read the terms of use carefully. All applications are required to inform their users on how their data will be used. For instance, apps providing a service on European soil are required to comply with the General Data Protection Regulation (GDPR) and indicate what information is collected, how, for what purposes and for how long.
As the authorities point out, it is best to choose software that clearly shows you how your data is used and offers solid privacy protections. Other basic precautions include the use of secure tools and end-to-end data encryption. Applications should offer two-factor authentication (2FA) for both meeting creator and participants and ensure that login links cannot be shared. Finally, you should use solutions that comply with security standards, are certified by recognized institutions, are securely hosted and comply with your local regulations.
There are also simple rules that users must follow to conduct meetings securely, prevent data leaks and ensure that only those who need to know have access to content:
- Generate invitations with secret codes to join meetings.
- Use an encrypted connection and a secure network (internal network, VPN, firewall, antivirus).
- Control participants (virtual waiting room, guest acceptance, de-activated presentation and recording controls, etc.).
- Set privacy options and restrict how data can be used, for example by modifying the type of files or links that can be shared, or by requiring a password to access meeting recordings.
- Systematically close applications when not in use.
- Deactivate microphone or camera when not needed.
- Use a different, complex password.
Citadel Team, a proven solution
A secure, sovereign and easy to use videoconferencing and messaging tool with end-to-end encryption already exists: Citadel Team!
Citadel Team is a secure multi-device professional collaboration solution. Discussions, phone calls and videoconferencing with Citadel Team, the trusted alternative to consumer instant messaging solutions. Create chat rooms for your teams, with an unlimited number of users. Boost communication by inviting thousands of members to dedicated chat rooms! Discuss privately with each of your internal colleagues and invite external partners. To ensure total confidentiality and separation between our customers, each organization is given a dedicated infrastructure operated by Thales and hosted in France. Your data will not be used or sold. Activated when necessary, end-to-end encryption ensures that only your devices can decrypt your messages. Citadel Team synchronizes all your communications in real time on your mobile devices and PCs (iPhone, Android, Mac, Windows and browsers).