Video Conferencing

Video Conferencing – The Next Hacking Target?

Video conferencing has been a key enabler for the growth in remote working. From a solitary work-at-homer to an enterprise with teams across the world, VC enables real face-to-face communication. But does it bring a new risk to the business?
We take VC facilities for granted, striving for better audio, quicker graphics and better team-working tools, but are we paying enough attention to security? Platforms such as FaceTime, WhatsApp and Skype make use of common technologies such as WebRTC, so what if a hacker could find and exploit a vulnerability?

Here we take a brief look at research carried out recently into vulnerabilities and how a hacker might exploit them. Finally, we look at the best ways of protecting our VC calls.

What’s the risk?

For business VC calls there is a significant potential risk in exposing sensitive information. This could be executives discussing financial information or technologists sharing IP details. Sensitive information is like a magnet for hackers. Outside of business, there is value in hacked data from individuals, such as their Facebook or WhatsApp accounts.
How could it be done?

Natalie Silvanovich of Google’s Project Zero team recently uncovered vulnerabilities that could be exploited by a hacker (they have since been patched). Web Real-Time Communication (WebRTC) is a widely used open-source technology that enables real-time communication. Silvanovich found several vulnerabilities in WebRTC, serious enough to cause a crash with out of bounds or overflow errors.

Hackers often initiate memory heap overflows as their break-in tool. By initiating an overflow on the target’s device, a hacker could take over their account and intercept the VC. There are two feasible methods:

  • The hacker initiates a VC call using a rogue device, establishes peer-to-peer communication and triggers the vulnerability on the target’s device
  • Using a phishing technique, the target is persuaded to initiate a VC, but using a signalling server that is under the hacker’s control. The hacker is then able to more easily establish a peer-to-peer communication with their rogue device.

Will it affect wholesale VoIP termination rates?

We have seen a rise in telecoms fraud affecting operators’ revenues. Attacks such as Voice fraud, SMS fraud, and IPX fraud target both operators and the businesses using them. The example hacking methods we describe would affect businesses and consumers although we shouldn’t rule out escalation into targeting operators.

How can we protect ourselves?

Silvanovich submitted the vulnerabilities as bugs, which were then fixed. So there is no immediate cause for alarm in the context of these specific cases. However, vigilance, as always, is vital to avoid bringing risk to business operations. Here are three suggestions for reducing risk:

  • Upgrade the VC tool to the latest security patch as soon as it becomes available. Developers are constantly fixing vulnerabilities and releasing them, so it’s critical to keep up to date
  • Train staff not to answer VC calls from unknown numbers. An incoming call is the natural entry point for a hacker
  • Use a firewall to protect VC communication