By Dustin Gawron, Martin Waleczek and Vanessa Weidler, EDUCV | Read Part 1 of this blog here
At the beginning of the pandemic the need for videoconferencing solutions gave many administrators and institutions a lot of headache. Organisational and different technical aspects alike can be obstacles.
Choosing the Right Solution
As with any other product many different aspects need to be kept in mind when choosing and setting up a new solution. With communication tools especially, data-protection and security aspects play a big role, as secure and reliable communication channels are very important nowadays. With that said, many institutions had a hard time choosing between local and open source, but often less user-friendly solutions, e.g. Big Blue Button or Jitsi, and cloud-hosted solutions with multiple nice features from the big players on the market, e.g. Microsoft Teams, Webex or Zoom.
It is difficult to recommend a specific solution here because it mostly depends on the use-case, but institutions should always keep in mind that there are trade-offs between solutions. Cloud-hosted solutions are easily accessible from everywhere and often offer high performance. But on the other hand, it is very difficult to know what happens with sensitive data that gets transmitted and stored. This can sometimes become a problem with strict regulations, especially when servers are hosted in other countries. Local solutions allow for better control over transmitted data and give full control of the data stored on the server. Even though many open source solutions improved their usability and performance in the last few months, they often still are not on par with commercial solutions.
Depending on the use-case, the existence of certain security functions should be checked. For best security a solution supporting full end-to-end encryption (E2EE) should be used, this can mitigate the problem of data getting transmitted over untrusted servers. But also viable functions to secure access to meetings and moderate them, especially for larger groups of attendees, can be necessary and should be tested before deciding on a final solution. It is very important to clarify what kind of solution is needed, carefully choose one and in the end convince users to stick to this solution, actually this can be the hardest part.
As with any other service an institution offers, a secure configuration, that is still usable by regular users, needs to be found. Many solutions offer a large variety of configuration options that should be carefully reviewed before opening the service for your userbase. In some cases security related options are disabled by default, which can put users at risk without them even knowing. If possible, settings such as end-to-end encryption (or at least transport encryption), automatic setting of passwords for new meetings, moderation features or even simple options such as deactivated microphones and webcams when joining meetings should be enabled for all users by default. This can make it a lot easier for users to host secure videoconferences. When it comes to encryption settings it should be checked that all transmitted data is encrypted and not only some parts, e.g. the text chat. It can also be useful to disable certain features in general, like file transfers or recording, to reduce the attack surface when they are not needed.
Users should be informed about the available functions and configuration options they can use in order to host videoconferences. Tutorials can be really helpful to show users how to work with the new solution and which steps need to be taken. If certain restrictions apply, like only internal availability through a VPN or the need to use a proxy server, users need to be taught how to use those functions as well.
Setup of a new videoconferencing software can be a difficult task for network administrators as well. There are lots of different protocols that come into play, not only between different solutions but also for different steps during a videoconference. As long as users are directly connected to the internet those protocols work as intende, but in most institutions traffic is routed through firewalls and NAT gateways to secure internal systems from external access, but to also allow internal systems to communicate with the outside. This usually restricts certain protocols from working out of the box and needs additional techniques, like STUN and TURN, to get it working properly. The problem at this point is, that such changes in network configuration, especially when opening ports to locally hosted videoconferencing solutions, can lead to a larger attack surface and open up new vulnerabilities. Depending on how strict local network security configuration is, it can be quite difficult to strike a balance between usability and security.
Many solutions nowadays therefore use HTTPS for everything instead of peer-to-peer (P2P) connections between the attendees of a videoconference, which resolves many problems. In those cases all the data is usually transmitted through some servers that belong to the videoconferencing solution. In most cases users can establish HTTPS connections to external services in order to view websites, so there is no need to add rules for additional protocols or to expose certain ports to the internet directly. The downside here is that all traffic needs to be handled by a server and run through it. This can need a lot of processing power and also could enable the recording of audio and video if no end-to-end encryption is used.
Attacks on Videoconferencing Software
Videoconferencing software is still software: it consists of thousands to millions lines of code — each prone to failure — and with the rise of conferencing solutions the interest in vulnerability research for this topic rose as well. Whenever a native client software is run on your system which processes untrusted data there is potential for disaster. The bigger names have all been hacked in public at competitions like Pwn2Own in the past and more often than not the client software could be utilised to fully compromise impacted systems. Of course, this is just the tip of the iceberg and a lot, if not most, of the research targeting vulnerabilities in such widespread software is not done in public. There is a market for vulnerabilities that are unknown to vendors (0-Days) fuelled by nation-state actors, so as long as programs like Pegasus (NSO) or the German Staatstrojaner remain lawful or are actively pursued, security researchers can always opt to quietly cash out instead of making their research public.
Sometimes there are security problems with feature implementations as well. Zoom famously made the entire screen available to other participants for some milliseconds (i. e. transmitted and hence recoverable frames) when users only wanted to share part of the screen. Muting oneself in Big Blue Button would still record and transmit audio to the server. Microsoft Teams allowed malicious actors to steal emails, messages and files of other members of their organization via a feature called Power Apps applications. The list goes on.
So there is a case to be made for using conferencing tools only via the browser. However, this usually goes in line with lack of special features such as screen sharing or lack of conveniences, like the grid view of the audience, and can have performance implications as well. Browsers have become a lot better in handling several simultaneous multimedia streams during the pandemic, but sending video data and receiving a lot back can still severely impact the available system resources. And ultimately, browsers are software after all as well. Whether a browser or a dedicated client software is used, regular installation of updates is really important when it comes to communication solutions because they are used by many different and maybe untrusted users.
During the early days of the pandemic another problem frequently showed up in a lot of online meetings. Unpleasant surprise visits by non-invited actors lead to the fast adoption of password protected meeting rooms and lobbies, where participants had to wait until the host approved their attendance manually. Such events have become much rarer lately and research suggests that the majority of calls for zoom-bombing are made by insiders rather than attackers who obtained invitations illegally or guessed meeting password. This makes password protection and lobbies — at least for meetings where the host does not know all participants by face or name — less effective and the only viable solutions seems to be sending out unique links for each participant, so that access can be easily revoked upon compromise.
About the authors
The authors, Dustin Gawron, Martin Waleczek and Vanessa Weidler, are members of the EDUCV (EDUcation CERT-Verbund). EDUCV is a working group consisting of incident response teams (especially CERTs/CSIRTs) of institutions of the german academic sector. The purpose of EDUCV is sharing information and advanced training for the participating security teams. The teams are supporting each other with security analyses as well as with conception, development and operation of security solutions.
Also this year GÉANT joins the European Cyber Security Month, with the 'Cyber Hero @ Home' campaign. Read articles from cyber security experts within our community and download resources from our awareness package on https://dev.connect.geant.org/csm2021