Welcome to the wonderful world of videoconferencing and its security flaws! You think that the issue of web conferencing security is only about eavesdropping? No, the problem is much larger and remains quite confidential.
In one sentence: videoconferencing can seriously expose the security of your workstations and networks!
Journal du Net – 03 Nov 2021 – Francois Caron
Who is listening?
To understand where the security flaws of video conferences and webinars lie, you need to understand how “WebRTC“ (Web Real Time Communication) works
But when communications are not secured, it is possible to listen to the audio-video streams. In addition, many solutions do not adequately secure the identity of the participant that a hacker can impersonate, according to this thesis from Polytechnic Catalonia (PDF).
Because not all videoconferencing systems are equal, spying on data or other information is sometimes possible.
We remember, in November 2020, a “confidential” conference of the European Commission, which a journalist accessed on Zoom.
But let’s remember that a real hacker will not contact you to report his misdeed, and that there are several methods, and security holes, known and unknown …
What are the challenges?
Among the security flaws of webinars, the most disturbing is that WebRTC inventories your network to access the endpoints, behind your firewall.
Huge? No, it’s standard procedure, because the endpoint inventory is necessary to associate endpoints in one or more secure networks.
In concrete terms, to connect three workstations in Peer to Peer during a video conference, the WebRTC system (Teams, Zoom, Jitsi, etc) inventories the information on the terminals.
To bypass firewalls, WebRTC assigns an address to the terminals in a secure network. These procedures are complex and are not widely communicated by the editors.
This data allows access to the terminals of the secure network, it is transmitted via a server whose location, security and applicable legislation are unknown.
Although the case is frequent, videoconference publishers rarely inform their users that the technology is operated by foreign subcontractors.
Most of the time, this information is out of your control. You do not have the inventory of WebRTC communication services (Turn, Stun, ICE for “Interactive Connectivity Establishment“) that allow terminals to connect.
This complexity is a weak point for the security of videoconferences and webinars.
For ease of use, many vendors claim to be RGDP compliant. But this is not enough, especially when the system claims to be compliant and secure.
What are the real risks?
Do you doubt the information in this article? You’re right, we need evidence to prove this claim: “data can be hacked!”
First of all, let’s specify that an Internet user who participates in a videoconference from his home, even if equipped with a VPN, can expose a public IP, and be subject to attacks. This is due to the standard operation of the browser in the presence of malicious script.
But let’s go back to ICE (Interactive Connectivity Establishment) which allows to recognize the stations connected to a WebRTC videoconference.
ICE uses Turn technology to cross secure networks in order to switch computers participating in a videoconference from a protected network.
This is what network engineers call “NAT resolution“, which allows access to endpoints in an intranet.
Although methods exist to secure the Turn server and the terminals, the editors are not very talkative on this point.
What recent hacks?
Already in 2014 Ericsson engineers studied the security flaws of the Turn process: “an attacker who is able to listen to an exchange of messages between a client and the server to determine the password” What Zataz confirmed, as a flaw impacting the security of VPNs.
December 2018, during the SecureComm conference, were exposed methods for a “misuse of web browsers for storage and distribution of hidden content“
April 2020, the Future of Internet Forum noted “The problem of using WebRTC to map intranet topology from an external attacker” and offers a highly documented analysis (PDF).
June 2020, a security forum reported on the abuse of the Turn service by the 8×8 US publisher of Jitsi, stating that this exploit “allows remote attackers to reach internal services on the server itself as well as on the internal AWS network.”
WebRTC security is therefore not a legend, it is a hot topic.
Which solution ?
Let’s summarize. These WebRTC videoconference security issues can expose the security of networks, terminals, etc.
This is why, without question, a videoconferencing solution should be able to detail its strong security guarantees.
It is no longer debatable, regardless of the level of confidentiality of communications, WebRTC videoconferencing technology can expose IT security.
Beyond the procedures for securing audio-video flows and their transport (SDP, DTLS, SRTP), the communication components (ICE, Stun, Turn), a term is needed to guarantee a high level of security: “End-to-end secure architecture“.
End-to-end security, also called “e2ee” (End to End Encryption) aims to encrypt all the exchange points of the WebRTC architecture: terminals and servers in order to protect your resources and your communications.
The central question is therefore “is this video conferencing application end-to-end encrypted?”
What criteria to require?
End-to-end encryption is a key indicator for your security.
In April 2021, a guide from the Front Line Defenders Foundation concluded that many video conferencing systems are not yet end-to-end encrypted.
The guide states that Jitsi Meet is (still) working on it, while with Teams “someone with access to these servers can potentially intercept your messages”.
And this guide remains quite cautious about other solutions: “We have not included tools such as Zoom, Skype, Telegram, WhatsApp … the margin of risk when using them is too great.”
End-to-end encryption is a requirement. But let’s also emphasize that a security certification validates development and hosting practices, without making an inventory of out-of-scope hazards… necessary precision.
Finally, Empreinte.com specifies that it does not install any software on the terminals in order to simplify the life of users and CIOs, completing Tim Berners Lee’s quote “The ultimate purpose of the Web is to support and enhance our lives”, not to complicate them…
Whether you’re a CIO or an Internet user, you now know the rules of the game: a demanding and continuous search, an end-to-end encrypted solution, or some uncertainty…
It’s up to you!