REMOTE LITIGATION ACADEMY™
Exposure of Online Proceedings to Snooping
The Prying-Eye vulnerability is an example of an enumeration attack that targets web conferencing APIs with a bot that cycles through (enumerates) and discovers valid numeric meeting IDs. If the common user practice of disabling security functionality or not assigning a password is followed, then the bad actor would be able to view or listen to an active meeting. If a user has chosen the option of configuring a personal meeting ID to simplify meeting management, a bad actor can store that information for future snooping activity.
Any application, not just video conferencing, that uses numeric, or alpha-numeric identifiers, is susceptible to an enumeration attack technique. The fact that web conferencing end users have a tendency to either disable or ignore security functionality for whatever reason has significant business ramifications.
Security of all types, from traditional network level to user best practices, is an increasingly, and ensuring web conferences are secure should be common practice. If a meeting is compromised due to a vulnerability like this, a bad actor would be able to eavesdrop on the proceeding.
Addressing the vulnerability
Both Cisco and Zoom have posted advisories to their customer base with steps on how to address this vulnerability.
According to the Cisco Product Security Incident Response Team (PSIRT), “We have issued an informational security advisory to provide our customers with the information they require. Notably, the most effective step to strengthen the security of all meetings is to require a password – which is enabled by default for all Webex meetings. Cisco PSIRT is not aware of any malicious exploitation of this potential attack scenario.”
“Zoom has improved our server protections to make it much harder for bad actors or malicious bots to troll for access into Zoom meetings. In addition to our detection and prevention mechanisms in the data center, we provide meeting hosts with extensive protection controls, such as preventing attendees from joining a meeting before the host, and the very popular waiting room feature. Zoom hosts can also choose to protect their meetings and webinars via password. Passwords are now enabled as the default setting for Zoom meetings, but as is true of other security options, meeting hosts are free to choose security settings that are most appropriate to the sensitivity of their meetings,” said Richard Farley, CISO of Zoom Video Communications, Inc.
Is Cisco Webex encrypted?
Webex has you covered with encryption for data in transit and at rest, along with the option for end-to-end encryption (E2EE) if needed. All media streams are encrypted during sessions between Webex apps and the Webex cloud.
Is Zoom encrypted?
Zoom Rooms – Communications are established using 256-bit TLS encryption and all shared content is encrypted using AES-256 encryption. The Zoom Rooms app is secured with App Lock Code.
Skype has technical hiccups that prevent it from reaching its full potential. Despite having better video and audio than Zoom, Skype is known to freeze up.
“Skype freezes up a lot and causes disturbances in the video which I hate,” says Noor, a Skype user. “Oftentimes I have to end my call and call again. It’s not good quality and takes away from the meeting experience.”
Users also note that it’s difficult to get help or support with Skype, which is surprising since it’s all under the Microsoft umbrella. Additional feedback regarding disadvantages includes the amount of bandwidth the platform takes up, connectivity issues, and Skype’s clunky, hard to use UX. It’s still one of the better tools out there, but due to the disadvantages, Skype still leaves a lot of users wanting.