Videoconferencing solutions in the state sphere, in small and medium-sized companies

Nowadays, more and more employees are working at home-office, which increases the requirements for audiovisual conferencing tools that are applicable in the corporate sphere. The preparedness of institutions for emergency situations such as closed schools, offices in restricted mode, home-office staff, online learning, audiovisual communication and the use of various software devices on a daily basis has also been tested by the COVID-19 crisis and the first shortcomings or problems have become apparent.


Companies and different types of organizations are faced with the problem of electronic communication and information transfer between each other in the development of tasks. Many cities, municipalities, schools, local governments, smaller companies use different ways of communication, which is neither good nor safe. One authority employee is inspired by information from acquaintances or discussion forums and starts using, for example, Google Hangouts. A second discovers the Zoom app, a third uses Skype, a fourth WhatsApp, a fifth uploads his meetings to YouTube, a sixth communicates via Viber, another via Webex meeting, and so on. Employees are thus forced to install apps and programs on their mobile devices on their computers, which they often do not know well and forget about security. Do they know how the apps work?  Are they safe for their devices and themselves? What personal data is being processed?  

 

As it turned out, the COVID-19 crisis has enormously increased the demand for software solutions and services enabling collaboration or audiovisual communication between two or more parties in different sectors, taking into account the security, privacy and usability of the chosen solution.  

 

For this reason, we have prepared an article to evaluate the suitability of applications that meet certain security conditions.  These are applications that are mostly known. We base our analysis on selected video-conferencing solutions published on the website of the National Computer Incident Response Team CSIRT.SK 


Description of basic safety requirements   

First of all, before you decide to start using an application for video-conferencing, it is advisable to check whether there is any list of allowed software in your organization or try to ask the competent (IT administrator, IT security manager, etc.) If you don't have this option, secondly, it is necessary to find out whether the application meets some of the basic security requirements, whether it complies with the requirements for privacy or protection of personal data.

 

This information should be provided by the app developer on their website, where you can check if the app uses the following:

Cryptography 
End-to-end encryption (E2EE) means that the data between sender and receiver is encrypted and such communication cannot be read without an encryption key that only the sender and receiver have. The purpose of encryption is to ensure that if the data is intercepted during transmission by an attacker or service operator, they will not be able to decrypt it and thus get to the original information.

  

Two-Factor Authentication (2FA) 

Dvojfaktorová autentifikácia (2FA) slúži ako dodatočné overenie  vašej identity prostredníctvom princípu  heslo + „ďalší kód“ napr. vo forme SMS kódu, alebo hardvérového tokenu. 2FA predstavuje dodatočnú vrstvu zabezpečenia pri prihlásení v prípade, že útočník získa užívateľské heslo.

  

Availability of source code 

Open-source code provides the possibility of easier auditing of the application code by the professional public, i.e. the possibility to verify e.g. the declared cryptographic algorithms and the correctness of their implementation. It is worth mentioning that the availability of source code alone does not automatically guarantee higher software security, but it helps to discover vulnerabilities in applications that can be exploited by attackers.


Privacy 


Sharing user data with third parties 
Collaboration platforms often need to collect basic information in order to function. Nevertheless, they are asked to protect sensitive data such as the content of calls or details of individual contacts. Information capturing conversations should not be shared with third parties. The sharing of information with third parties should be clearly defined in the privacy and data protection rules (GDPR). An application that does not have clearly described and established privacy rules raises questions about its security. For example, in online meetings, it is important that none of the parties involved creates recordings without the prior consent of the data subjects. The recommended solution is to conduct online meetings without recording. The Data Protection Officer (DPO) (GDPR) or the Information Security Officer separately (MIB) should be consulted for specific cases. 

Application vulnerabilities and vulnerability management 

All man-made software contains bugs, and therefore security flaws that represent vulnerabilities. Rather, information about how the author or the company behind the development of the software or the operation of the service responds to any vulnerabilities that are discovered can be a clue in this respect. Specifically, this means whether and how quickly that company is able to fix the vulnerabilities and also whether it is willing to subject its product to an impartial third-party audit. We are inclined to the view that a service or software provider that cares and is concerned about the security of its products will react promptly and transparently to any vulnerabilities or data leaks that are discovered, e.g. by reporting them on its website.

Choosing an application - platforms  

When selecting a video conferencing solution, it is also advisable to consider the platforms (operating system or application environment) of the participants on which the software or service is to run. From publicly available information, we can assume that the majority of operating systems will be Microsoft Windows and mobile devices will be Android (less iOS). It is also important that the operating systems used have the latest security patches installed. The number of users connected at a given time vs. the internet line load should also be taken into account when selecting an application. This is important for the smooth functioning of the video-conference without disturbing elements such as image chopping, audio, disconnecting from the conference, etc. In case the employee has a weak line at home so in case of emergency he can use audio only, no video.


A closer look at selected applications and services

  
Zoom 

During the pandemic crisis, it was seen as the first choice in the personal as well as the commercial sector and even within the public sector of several countries. As its popularity grew, issues around privacy, security and user configuration began to emerge. Some of the privacy issues improved in the early 2020s after licensing terms were modified. However, according to multiple sources, Zoom still collects large amounts of user data.

 

In early 2020, experts were unflattering about the security of the app itself, as it exhibited inconsistent programming practices that resulted in the following problems, among others:

  • the malicious website had the ability to turn on the user's webcam without permission (client application for macOS) 
  • sending user data to Facebook even if the user did not have a Facebook account (iPhone client app) 

 

Other issues worth noting included leaks of user data, poor cryptography (in this case Zoom outright lied), and highly questionable practices where the encryption keys needed to secure the call were delivered to subscribers via servers located in China. Despite the fact that all of the participants, as well as the client company, were based outside of China. Other experts point to the fact that Zoom employs approximately 700 programmers through three Chinese companies, thereby exposing itself to potential pressure from state authorities there, e.g., to deliberately introduce a security flaw through which the security of the application could be compromised.

 

At the end of the first quarter of 2020, after pressure from several parties, Zoom published a roadmap containing several steps to improve the safety of their product. Meanwhile, the issue of Zoombombing in the free version of the app has still not been resolved. Zoombombing is an unwanted and intrusive disruption of an online video-conference, usually carried out by trolls, hackers via the internet directly into the video-conference call. In this incident, a video-conferencing session is disrupted by the insertion of material that is obscene, lewd, racist, homophobic or anti-Semitic in nature, which usually results in the termination of the session. It is pertinent to mention the experts criticizing Zoom for the above shortcomings.

 

It's worth mentioning that after recent security improvements, they report using Zoom as the standard video-conferencing solution for teaching at Harvard University.


Google (Meet, Hangouts) 

Google offers several services, namely Hangouts - free version of the cloud-based video conferencing service for any user with a Google account, and Google Meet, a paid and free version of the cloud-based video conferencing service that is part of the paid G Suite services. The services are proprietary, i.e. they do not offer the source code of the software on which they are based for viewing. The differences between these services are in the functionality offered. For example, screen sharing, a limit on the number of participants or the possibility to participate in a video-conference as a guest without registration. With Google Meet, guests are required to log in to a Google account if the video-conference organizer uses a personal account. If the organizer uses a paid G Suite package, guests are able to participate in the video conference without logging into a Google account. Both Google Meet and Hangouts are accessible via a web browser, which is an advantage in terms of multiplatform. It is a cloud-based solution with no self-hosted service option (data on own servers). In terms of security, both solutions are almost at the same level, but neither supports end-to-end encryption. For both solutions it should be taken into account that user data is of interest to the service provider - Google (social engineering).


Skype for Business 

It is a commercial proprietary video conferencing software with a long history, which is matched by advanced functionality and integration with other Microsoft products. The software is part of the Office 365 cloud solution, but can also be deployed in your own infrastructure (on-premise). It does not offer end-to-end encryption and with the cloud version it is reasonable to assume that user data will be of interest to the service provider, similar to Google Hangouts. As of 2019, Skype for Business is no longer part of the product portfolio for some Microsoft customers, and the end of overall support for the product will occur in July 2021. Microsoft Teams has become the successor.


Microsoft Teams 

It is a commercial proprietary software that offers not only video call capability but also additional features and collaboration options between users (chat, screen sharing, document collaboration). The software is well integrated with other Microsoft products. MS Teams is available either free of charge or as a paid version within Microsoft Office 365 (MS O365) as a cloud-based SaaS service. The free version of MS Teams provides the possibility of video calls via Microsoft servers for up to 50 participants, with paid versions the number of participants can be higher. In both cases it is possible to participate in the video-conference without the need to register (guest account). When using the free version, it is noticeable that the service provider tries to convince the user to subscribe to MS O365 services. The software offers the possibility to connect via a web browser. The option to use multi-factor authentication (2FA) is also available. It uses standard encryption via TLS, mTLS and SRTP protocols, but does not offer the option of E2EE end-to-end encryption, which disqualifies it in scenarios where users need to exchange sensitive information. MS Teams, like competing software, has experienced a number of serious vulnerabilities in recent years, which have been patched within a short period of time as part of vulnerability management. MS Teams is a well-usable solution for communication and collaboration in organisations, but the shortcomings of the software/service described above need to be considered. Microsoft has raised doubts about the privacy of user data several times in the past. During the preparation of this analysis, Microsoft technical support informed us that the company is working on a concept where an organisation should be able to use its own encryption keys, which could increase the confidentiality of transmitted data.


Cisco Webex 

Cisco's Webex is a commercial, proprietary video conferencing solution with a free version available. The server part of the product runs on the service provider's infrastructure, so it is a cloud service. Deploying the server part on-premise (on your servers) is no longer possible, as Cisco Webex Meetings Server has announced end-of-life, i.e. the end of sales and support for the product, which could have been deployed in its own infrastructure. The information discussing product security and risk modeling published by the manufacturer shows that the company has a serious interest in product security.  The software uses standard auditable cryptographic algorithms and protocols for which there are currently no publicly known security vulnerabilities. Webex enjoys high popularity and is often seen as an alternative to Zoom. In addition to video conferencing, it also offers chat, scheduling, drawing and screen sharing, which increases its usability for the average user in an organization's environment. There is also very good feedback on the reliability of the product itself. The Webex product has its own "Bug Bounty" initiative within vulnerability management, which is actually a platform within the application used to report security vulnerabilities found by volunteers in use.

 

 

Summary  

Most of the services analysed are suitable for routine work, such as home tutoring of students or colleague meetings, where sensitive information will not be communicated and where unconditional confidentiality as well as some parts of privacy will not be perceived as a determining factor. In a situation where users will be working from home and will need to communicate and exchange information, there may be a situation where they may also need to exchange information of a sensitive nature. 

 

For this scenario, we recommend selecting a video conferencing solution that meets the following criteria:

  • end-to-end encryption (E2EE) - guarantees data confidentiality between subscribers,
  • multi-factor authentication (2FA) - provides an additional form of security when logging in,
  • the possibility of local hosting (on-premise) - the ability to control the infrastructure on which the server part of the software runs and also the metadata generated during the operation of the service.


Additional criteria may be user-friendliness and multi-platform, preferring the ability to join a video-conference via a web browser.

 

We recommend leaning towards one of the listed Cisco Webex cloud service providers - using a native MS Windows application with end-to-end encryption


For a theoretical scenario in which educational institutions or municipalities could use one of the video-conferencing solutions for distance learning, we can imagine a solution with the following features:

  • Free solution - removing the barrier to entry in the form of procurement costs.
  • It is in the Cloud - it solves the worries with its own infrastructure (necessary hardware, deployment, administration) and staff.
  • Multi-platform - the ability to participate in a video conference via a web browser so that you can connect from any device or operating system.
  • Video conference access control - the event administrator should be able to control access to the video conference. 

 

From the above requirements we derive the following specific solutions:

  • Cisco Webex
  • Zoom (in paid version) 
  • Microsoft Teams

  

For services from Google or Amazon, we see the need to register with these companies as a barrier to entry. It is also worth mentioning that some prestigious foreign universities (Harvard) have chosen to use Zoom as a standard means of distance learning. The City of New York has also allowed its use for its schools after a security flaw discovered earlier this year was fixed.

 

However, the security of applications can change over time, so it is important to constantly monitor trends in the security risks of these applications. If you are unsure about the security of an application you are using or suspect a data breach, contact the Data Protection Officer (DPO) at your organisation or the Information Security Manager (ISM) immediately.

 


This article is not an original article by the author, it is an extract of the most interesting information from the CSIRT.SK analysis "ANALYSIS OF SELECTED VIDEO-CONFERENCE SOLUTIONS"

The full analysis can be found at this link: https://www.csirt.gov.sk/doc/Video-konferencie1.0.pdf