Mention “virtual meetings” and “security issues” and nine people out of ten will respond, “Zoombombing.” Zoombombing became (in)famous during the pandemic, when hackers disrupted programming with pornography and hate speech. But while these incidents were certainly unsettling and unpleasant, they are far from the most dangerous security risks associated with virtual meeting solutions.
Zoombombing interrupts meetings, but it doesn’t compromise participants’ data or expose their endpoints or networks to ransomware. As demonstrated by declining incident rates, it’s also an easy problem to solve by adding password protection, waiting rooms, and/or limiting the number of participants who join via meeting links, while others watch streamed only versions on YouTube or Facebook.
It is less well known, however, that virtual meetings can be a vehicle for the installation of malware that can be used for various nefarious purposes, including ransomware.
Virtual Meeting Malware and Flaws
Pretty much as soon as the world moved to online meetings, multiple security flaws in Zoom came to light. Zoom had been advertising that it used end-to-end encryption; the company later admitted that this wasn’t true.
Zoom was found to have installed a hidden web server on users’ devices, which could be used to add users to calls without their permission. This obviously could also be a way to spy on people, adding them to a “call” and starting their camera and microphone even if they are engaged in some other kind of activity.
Another flaw was that Zoom failed to distinguish between web URLs (typically formatted using backward slashes, as in https://abcxyz.com) and network addresses, which are generally formatted with forward slashes, e.g., \\www.abcxy.exe. Hackers who found their way into meetings would try to lure participants to click on these links by posting them to the meeting chat, along with a convincing – and false — explanation. Clicking the link would set meeting participants’ devices searching for files on the remote server, where they would try to log in, revealing each user’s lightly encrypted and easy-to-break Windows password to the hacker. Alternatively (or in addition), the remote server could install malware to participants’ devices.
These flaws drew lots of attention, since so many people jumped onto the Zoom platform so quickly when pandemic closures hit. And to give them their due, Zoom responded quickly and responsibly to address these and other issues.
More recently, researchers participating in the Pwn2Own hackathon were able to take control over PCs and Macs by exploiting a vulnerability in the Zoom desktop app. A similar vulnerability was discovered in Microsoft Teams, too. Other researchers found that users’ entire screens may be visible for a very short time when screensharing is initiated, rather than just the screen that the user has chosen to share. If the meeting is recorded, and the recording shared, confidential data may be visible to participants who freeze the relevant frame. Another recently reported – and repaired – flaw preserved chat images in online directories even after a user had deleted them. And so on.
Virtual meeting solutions are sophisticated and complex, making it almost inevitable that exploitable vulnerabilities will be found. And in fact, other meeting software has also been found to host malware.
Some people who downloaded pirated versions of popular macOS software from torrent sites got a little present: malware installed on their FaceTime app. Getting rid of the malware required a complete fresh install of the operating system. A bug found in FaceTime allowed callers to access the microphone and camera of the person they were calling even if that person didn’t answer the call.
Is Opting Out the Right Answer?
Virtual meeting solution providers are a responsible crew and have addressed security flaws as they’ve been found. But as every security professional knows, whack-a-mole is a game without end. Any technology that is valuable to millions or billions of users is even more valuable to cybercriminals who can exploit it as an attack vector.
As a result, organizations that prohibit app installation on endpoints faced difficult choices during pandemic-related closures. They could opt for cost-effective, lightweight solutions that are easy to use – but increased their vulnerability to data exposure and cyberattacks. Or they could stick with complex, costly legacy conferencing solutions that are more secure, but maddeningly difficult to use. Unless, of course, they chose to entirely opt out of video conferencing.
Despite the challenges of remote work, many highly security-conscious organizations determined that vulnerabilities and security failures associated with virtual meeting solutions were so worrisome that they stuck with costly and complicated alternatives or, in some cases, opted out of virtual meetings altogether. SpaceX and NASA, along with numerous government agencies, banned employees from using Zoom.
Securing Virtual Meetings
For these organizations–and their frustrated employees—there was recently some very good news. Thanks to a new innovation, organizations can now leverage virtual meeting web portals without risk from malware, spyware or cyberattacks, and without requiring app or agent installation on endpoints.
Remote Browser Isolation (RBI) has earned wide acceptance as a powerful way to protect organizations from infected websites and phishing attacks. Until recently, however, virtual meetings could not run under RBI. To address the risk of virtual meeting-enabled cyberattacks, Ericom developed Virtual Meeting Isolation, an innovative, patent-pending remote browser solution that provides a safe and secure way to participate in virtual meetings via providers’ web portals – an ideal solution for organizations that prohibit installation of endpoint clients.
Ericom Virtual Meeting Isolation supports all capabilities and devices needed for virtual meetings – access to the microphone, camera, and screen sharing– while preventing virtual meeting code from reaching the user’s device and keeping IP addresses private. Critically, it also allows organizations to prevent data loss through policy-based limitations on resource exposure via screenshares and meeting recordings.