Video conferencing security continues to make news every now and then. Last year, it was HD Moore who hacked into conference rooms around the globe and this year German magazine Der Spiegel said the NSA hacked into the United Nations video conferencing system. In the wake of these events, many users of video conferencing get worried and some get downright paranoid. However, video can be extremely secure if it is configured properly.
All standards-based video conferencing systems include 128-bit AES encryption which secures the audio and video data being sent between users. Encrypting the audio and video packets prevents hackers from seeing where the data is going or what the contents are. According to an article from the EE Times, it would take one quintillion (1018) years to crack AES encryption using a brute force attack meaning the data is highly protected.
So if AES encryption is so strong, and most video systems support it, why do there continue to be stories of systems getting hacked? Because faults in configuration create weaknesses that leave systems vulnerable to attack.
The most common, which also happen to leave systems the most vulnerable, are leaving systems outside of a company’s firewall and having systems configured to automatically answer calls. This allows virtually anyone to dial into the video conference system undetected because there is no firewall to prevent unwanted access and the only visual evidence that a call has been connected is a tiny light on the camera.
While these are the most severe configuration issues, a recent post on No Jitter mentions other common faults that can leave video systems vulnerable. These include:
- Using outdated video systems that don’t support encryption
- Failing to use the most current software on video systems and other devices
- Connecting to other devices like gateways or video bridges that either don’t support or have encryption turned off
- Failing to use proper passwords, not changing passwords often enough, or failing to keep those passwords secure
So, what can be done to help keep video conferencing environments secure?
One of the best things to do is invest in a firewall traversal device such as a Cisco VCS Expressway or Polycom VBP. This allows devices to remain behind a firewall but retain the ability to connect to the public internet. As a result, members located on an internal company network can connect with other participants located outside the network without compromising the network’s security.
An alternative to investing in hardware is to subscribe to a cloud-based managed service. These services provide access to a team of highly trained video professionals that will ensure every call is connected in a secure manner, as well as, confirm all endpoints are configured to security standards.
Additional security options include:
- Change encryption settings from On (If Available) to On (Required) to require encryption for every call
- Disable auto-answer functionality
- Disable far end camera control on the system
- Close camera shutter when the system is not in use
As with anything, there is a balance between increased security and added functionality. Restricting access to only users located on the internal network provides the highest security but is not very functional. Leaving video systems on the public internet makes it easy to connect with users outside the network but presents numerous security and privacy risks. Every organization is different and the best video networks fall somewhere in between. The bottom line is there is a way to have a highly functional video conferencing environment while mitigating many of the risks that leave a network vulnerable.