Hear (some) evil: How video conferencing software can undermine security

Vulnerabilities in nigh-ubiquitous apps like Zoom, Microsoft Teams and Slack, combined with the behavioral changes that accompanied many people’s unexpected move to remote work, have had an outsized impact on security.

The pandemic-wrought transition from work cubicles and dress codes to home offices and shared workspaces has introduced new security challenges — not least because of vulnerabilities in the video conferencing apps (VCAs) that enabled this shift.

“While hybrid work creates flexibility and scalability,” Zoom head of trust and safety Josh Parecki told README via email, “it presents information security challenges…as employees work from offices, homes, coffee shops, airports and more.”

People first started to flag problems — such as unwanted guests in meetings — in VCAs like Zoom in the early days of the coronavirus pandemic. Companies have largely addressed those concerns, but vulnerabilities in their software continue to be an issue.

At time of writing, Zoom alone had reported 20 vulnerabilities for 2022, with over a dozen of them receiving a CVSS score of High (>7.0) and one of them being considered Critical (>9.0). These included malicious actors gaining access to audio and video feeds and URL parsing vulnerabilities that could be exploited to enable remote code execution on a target system.

Meanwhile, numerous security issues have been flagged in Microsoft Teams and Slack, too.

An experimental security analysis found both apps to have security flaws that allowed malicious apps to access user messages and third-party resources connected to the platforms.

But even when VCAs aren’t suffering from vulnerabilities, they might not respect our privacy as much as we think.

The privacy mismatch

“We understand that we’re living in a world where these apps have to access information to support some sort of functionality,” Kassem Fawaz, a cybersecurity researcher at the University of Wisconsin-Madison’s College of Engineering, told README. He added that the biggest problem with VCAs is “a privacy mismatch — users think that device or the app is doing something [but] the app is doing something else.”

Fawaz and his colleagues published a study in April 2022 that sought to answer a seemingly simple question: “Are you really muted?” The researchers examined 10 video conferencing apps, including enterprise services like Zoom, Slack and Microsoft Teams as well as consumer apps such as Discord, to find out what hitting the “mute” button in these apps truly did.

When most people mute themselves in video conferencing apps, their operating system of choice will continue to show that the app has access to their microphones. Fawaz said that’s because if the app stopped using the microphone, it would need to re-request access to it when users go to unmute themselves, and that wouldn’t lend itself to a satisfactory user experience.

So instead the apps maintain access to the microphone even when users have muted themselves. They don’t use data received from the mic, however, with one notable exception.

Emiliano Cicero / Unsplash

“The only exception we found was Webex,” Fawaz told README. “They were actually consuming the bytes all the time, and using that to report audio telemetry data to their servers.” (At least until the researchers submitted a report to Cisco, which patched it out.)

The researchers also discovered that video conferencing apps that stopped consuming data from the microphone on desktop operating systems like Windows continued to use the data on Android. “In my perspective,” Fawaz said, “using these VCAs on a constant basis expose users to another layer of security and privacy problems that were not there before.”

Hot mic: Problems start with the operating system

Right now it’s up to VCA providers to protect their user’s privacy — at least when it comes to their microphones. Fawaz told README that many devices feature physical switches or universal “off” buttons for their cameras, but that isn’t the case for their mics.

“When you turn off the camera from the app itself,” Fawaz said, “it engages an operating system control that turns off the hardware.” But in terms of the mic, “we’re really at their mercy [of the VCA] if they decide to use the microphone data [as] there’s no control from the operating system or the hardware preventing that.”

That’s starting to change. Microsoft introduced a universal mute button in Windows 11, for example, which Fawaz said was a good start. Now it’s up to other companies — namely Google and Apple — to introduce similar controls in their operating systems as well.

But its not just a technical problem

Parecki told README that remote workers face a variety of threats they didn’t have to worry about before. That’s why Zoom has employed various zero-trust strategies, he said, in addition to stressing the importance of training employees across potential workplaces.

That’s a lot of pressure for security training providers — and it might not be totally justified. Psybersafe CEO Mark Brown told README that changing perceptions of work in the pandemic era have created “an issue that is massively underestimated,” sure, but training can’t solve that alone.

It doesn’t help that cybersecurity training has often been poorly done, Brown said, and looked at as an exercise to tick off for compliance requirements rather than something meant to impart meaningful knowledge about how people should adjust their behavior.

“Sustained behavior change doesn’t happen with one video,” he said. “You need sustained intervention.”