Like most companies during the Great Quarantine of 2020, we are spending a lot of time in video conferences. Unlike most companies, our entire business is 100% focused on making sure that data is secure as it travels from one place to another. We do this for all kinds of data — financial, technical, audio or video. With so much proprietary data being secured by commercial video conference software, whether it is the intellectual property of business or the classroom time of our children, we thought it would be helpful to ask and answer a very important question:
Are video conferences secure?
The Good
Virtually every web conferencing system available applies basic security protocols to your video conferencing. This means that a bad actor who encounters a few minutes of video intercepted mid-stream will not be able to view it. This is a good first step, of course. But protecting our content from a criminal who simply stumbled upon part of it is a fairly low bar. That’s not who you should be worried about.
The Bad
How do video conferencing servers fare against determined attackers? Unfortunately, not as well. The most well known attack on data in flight, called a Man in the Middle attack, is possible on all of the four major providers we tested. Here’s a fun game, see if you can spot my password in the screenshots from intercepted network traffic below:
While the security of the video conferences set up after you login are a different matter, we aren’t off to a great start.
The Ugly
Perhaps the most concerning aspect of the video conferencing offerings we surveyed were the limitations on security. From some of the top providers here is a mixed sampling:
- No true end to end security (or misleading claims about it in some cases)
- Inability to record sessions when end to end security was enabled
- Inability to prevent rogue employees from eavesdropping on communication
- Susceptibility to Man in the Middle attacks
- Requirement to host your own servers to get around some of the limitations
- Inability to properly authenticate users/uninvited guests (we saw how secure authentication was)
- Disabling features like login before host when end to end encryption is enabled
- No ability to audit the security of the communication
With the unprecedented number of online meetings taking place today as workers have been forced to connect from their homes, this security hole is particularly urgent. Elon Musk outlawed the use of Zoom for SpaceX employees just today for fear their intellectual property was at risk. Senior business leaders cannot afford to look the other way. But there is help…
Our Answer
At KnectIQ, the only thing we do is protect data in flight. So, our solution solves every one of the limitations above. We do this by:
- Providing end to end security
- Not requiring complex key management (we get rid of the static key)
- Giving users total control over who can decrypt data
- Defeating Man in the Middle Attacks
- Providing the ability to audit the security of your communication. Users need not wonder if their information arrived securely.
These are the basics you should demand from any video conferencing service you employ. In its absence, what can you do?
If you offer a video conferencing solution KnectIQ would love to assist by providing better security for your customers and a strong way to differentiate your offering from a security perspective.
If you are an end user, the best thing to do in the short term is to use a VPN and meeting password. It at least provides another layer of security. In the long term, technology consumers should demand better solutions from their video conferencing providers. Whether you are consuming VPN, Web or Video Conferencing services you should expect security.
To learn more about KnectIQ and the problem that we solve, please visit our website at knectiq.com and contact us for more information.