By now we’re all familiar with the damage that the hackers of the world can wreak on our online privacy and security. But hackers wear white hats as well as black. The story of a recent Zoom video conferencing vulnerability highlights what those in the white hats can do for us.
One of the good guys recently discovered a vulnerability in the Mac application of the popular video platform that could potentially allow hackers to take control of your webcam, gaining a view into your home or office.
While the alert went out in time for both Zoom and Apple to act, the discovery was a timely reminder to take video conferencing security seriously. And we can’t always rely on these hacking “good guys” to come to our rescue. Video conferencing security is the responsibility of both the vendor and the user. Fortunately, there is at least one practical step you can take to stop prying eyes from looking back at you through your webcam.
A Zoom Video Conferencing Vulnerability
The recent Zoom scare was publicly revealed by an engineer with the open-source project Gradle–a free software development tool. The vulnerability potentially allowed hackers to access a webcam without permission through a Mac Zoom Room. Such is the meteoric rise of Zoom, which culminated in a highly successful public listing earlier this year, that the defect could have affected around 750,000 companies.
The flaw meant hackers could activate a user’s camera and force them to join a Zoom call. It could also result in Denial of Service attack on the user’s computer, whereby a device is rendered useless by a prolonged bombardment of access requests, in this case by repeatedly making the target’s webcam attempt to join an invalid meeting. The flaw was based on Zoom’s meeting link feature that allows users to join a video call by clicking a web address invite–hackers could potentially hijack this accessibility for their own ends.
The flaw has since been addressed by Apple and Zoom, but it isn’t the only security threat Apple has faced in recent months. The same flaw was also present for Mac users of RingCentral. To make matters worse for Apple, it had to disable its Watch Walkie Talkie feature after an undisclosed vulnerability surfaced that allowed hackers to potentially listen in through another user’s iPhone without their knowledge or consent.
There’s no suggestion that any black-hat-wearing hackers made use of these eavesdropping flaws, but the intimacy of video conferencing makes it particularly unsettling to think that our devices could be used against us.
Who’s Watching Us?
Mark Zuckerberg and former FBI Director James Comey became the butt of some low-tech internet memes a few years ago after they were caught covering their webcams with good old-fashioned tape–but there is some wisdom to their approach.
In 2014, a Russia-based website began broadcasting hacked live feeds from more than 4,500 devices in the U.S. The site was eventually shut down, but not until it had broadcast some very personal images, including some from remote baby monitors.
Video conferencing by its very nature is always going to present a unique security consideration. The technology relies on making connections outside the personal and professional security barriers and firewalls we erect in defense on our internet-linked devices. The signals we send and receive move through a global network of third-party servers that are far beyond our personal control; even if you have the know-how to build your own private connections, the technology is prohibitively expensive and somewhat limited.
Instead, we must place our trust in the encryptions and protections offered by the vendors to which we subscribe. The Zoom video conferencing vulnerability discovered earlier this summer proves that even when the biggest names in the business are involved, there’s no such thing as a perfect system. That’s why we shouldn’t be so quick to dismiss the DIY security of Zuckerberg and Comey…although there’s a less sticky way to do it.
Stay Secure Behind a Privacy Shutter
There are several video conferencing best practices you can adopt to make video a safer medium. If you’re operating an enterprise system, the order of the day is unified communications across a common platform. We’ve heard stories of companies using up to five different video vendors across their system, which is a recipe for disaster (not to mention expensive and confusing). Additionally, you should have a video conferencing monitoring system set up to keep a constant eye on your endpoints and call quality–this can help your IT team identify anomalies more quickly.
There are also some smaller-scale solutions you can implement, including:
- Removing public wifi access
- Storing data in the cloud, rather than locally
- Updating your video platform as soon as new versions are released
- Deploying common firewalls across a VPN
- Monitoring and standardizing employee devices
- Insisting on multi-factor authentication rather than a single password
- Treating private employee networks as foreign parties
Those measures are all designed to reduce the chances of those black-hat-wearing hackers from gaining access to your system. But there’s a final fallback option that will prevent any attacker from getting a look into your private world even if they do gain control of your webcam: a webcam privacy shutter.
That’s right, these simple hinged or sliding pieces of plastic render a webcam useless to the invading cyber hordes. Many webcam manufacturers include the feature on their products, including the market-dominating peripherals company Logitech. Of course, obscuring the camera won’t stop someone from listening to audio through the connection, but a mechanical shutter is a far cleaner way to limit the privacy invasion possibility of your webcam if you choose to leave it constantly plugged in.
The lesson to be learned from the Zoom video conferencing vulnerability reveal is that security is the responsibility of everyone involved in supplying and using a video connection. Do your vendor research, take steps to secure your own network, and when all else fails–simply cover up your webcam. We can’t rely on the white-hat hackers to fix all our problems.