Video conferencing software is handy for everything from talking to family members who live far away to setting up big international work meetings. But some of the software used for conferencing may not be as secure as you think it is. There are a number of security vulnerabilities to be found in conferencing software like Skype.

Vulnerabilities in Skype

Video Conferencing Security - Vulnerabilities in Skype

Skype is one of the most popular video conferencing tools for both personal use and for business communications. And now the app is owned by Microsoft, one of the largest technology companies in the world. So you might assume that it is without security issues. Unfortunately, that's not the case.

In 2018, a researcher disclosed a security vulnerability which allowed malware to change users' computers via the Skype update mechanism. If hackers were able to take advantage of this vulnerability, they could run code which allows them full access over Windows PCs which had Skype installed. Hackers could have installed software, stolen data, or spied on users.

Fortunately, Microsoft had identified and patched this issue before the reports emerged. In a post on the Microsoft support forums, a member of the Skype team said that this issue only affected Skype versions 7.40 and lower. "The issue was in the program that installs the Skype software---the issue was not in the Skype software itself," she said in the post. "The installer for the current version of Skype for Windows desktop (v8) does NOT have this issue, and it has been available since October, 2017".

The good news in this case is that Microsoft patched the issue before the public became aware of it. However, take this as a reminder about how important it is to keep your software up to date.

Vulnerabilities in Zoom

Video Conferencing Security - Vulnerabilities in Zoom

Another popular video conferencing option, especially for businesses, is Zoom. But this too has had its share of security issues.

Mac Local Web Server Vulnerability

In 2019, security researcher Jonathan Leitschuh announced a vulnerability he had identified in the Zoom app for Mac. The exploit used the local web server which runs in the background to enable Zoom to function on Mac. That local web server had vulnerabilities which allowed hackers to interact with it through websites. It could even turn on users' cameras without their permission. Leitschuh warned that hackers could use the vulnerability to turn on cameras to gather information for phishing attacks.

Strangely, at first Zoom responded in a blog post by essentially denying that this was a problem. The company said that it had released a fix but "we did not force our users to update because it is empirically a low-risk vulnerability." They also went on to criticize the researcher for the way he disclosed the vulnerability. In some ways this behavior was more worrying that the vulnerability itself. Security issues happen to practically every software company, but companies should be proactive in protecting users when concerns come to light.

Zoom eventually walked back from their position, saying, "we misjudged the situation and did not respond quickly enough". They released an update to the Mac app which removed the local web server and fixed the problem. They also pledged to improve their bug bounty program to hopefully avoid problems like this in future.

Spying on Meetings via Meeting IDs

Another Zoom vulnerability was disclosed by Check Point Research in January 2020. The firm discovered an issue with the way Zoom assigns Meeting IDs. These IDs are strings of nine to 11 digits which designate a virtual room for participants to meet in. It is possible to also set a password for meetings. But if hosts don't set a password, the Meeting ID is the only thing keeping the meeting private.

Check Point discovered they could randomly generate Zoom Meeting IDs. Then they could quickly check whether these IDs were valid. In the end, they were able to predict around four percent of randomly generated Meeting IDs. With these Meeting IDs, the researchers were able to access meetings which should have been private.

The good news here was that Zoom seemed to have learned from their previous mistakes regarding security. When Check Point disclosed the vulnerability to Zoom, Zoom quickly took action to fix it. They brought in protections like adding a password to future meetings by default.

Zoom also changed their system to make it harder for outsiders to tell if a Meeting ID is valid or not. Finally, they block devices which repeatedly scan for Meeting IDs.

These changes should make it much harder for any hackers to view Zoom meetings they shouldn't.

Vulnerabilities in Webex

Video Conferencing Security - Vulnerabilities in Webex

One more video conferencing option you'll see used in the business world is Cisco's Webex Meetings Suite and Webex Meetings Online sites. This software had its own vulnerability disclosed in January 2020 as well. The vulnerability allowed an unauthorized person to join a meeting which should have been password protected, even when they did not have the correct password.

The vulnerability took advantage of an issue in the Webex mobile app, when a user clicks on a weblink to a meeting. The browser then directs the app to open. The unauthorized user could sneak in at this point.

In this case, Cisco disclosed the vulnerability themselves. The company also said it has fixed the bug and that no update of software is required.

How to Secure Your Video Conferencing Software

With all these vulnerabilities, it's not easy to be completely sure that your video conferencing software is secure. But there are some steps you can take to improve your video conferencing security:

  • Keep your software up to date. All of the vulnerabilities we discussed in this article have now been fixed. But you can only get the fix if you update your software. Not updating your software leaves these security holes open.
  • Check what hardware your apps have access to. Whether you're on PC or a mobile app, you can check whether software has access to your camera or microphone. If you want to attend meetings with audio only, you can revoke access to your camera altogether.
  • See if your laptop has a camera indicator light. Many modern laptops with built-in webcams have an indicator LED somewhere which lights up when the webcam is in use. Check if yours does, and if the light goes on while you're not using your camera then investigate further.
  • Remember security for conferencing is a two-way street. When you're conferencing, you don't just need to make sure your own software is up to date. You should also encourage the people you are chatting with to update their software too.

Alternative Video Conferencing Software

Any type of software can be vulnerable to security issues. If you want to try something different to mainstream conferencing software like Skype, check out our list of the best free Skype alternatives.