Computer Security: Videoconferencing pitfalls

After two months of teleworking, videoconferencing has become the ultimate tool for staying in touch with colleagues, friends and family. Skype. WhatsApp. WebEx. Teams. Hangouts. Vidyo. Zoom. There is a plethora of potential tools and a plethora of pitfalls to catch us out. Let’s review a few of them.

The privacy and security of your meeting are essential of course. Generally, the use of a web/browser-based client should be favoured over client installations, which can be more invasive of your privacy and can pose problems with the security of the device where they are installed. Admittedly, web clients usually come with less functionality and reduced quality of service, so if a client installation cannot be avoided, make sure that the software comes from a trusted source like https://vidyoportal.cern.ch, CMF (for Skype for Business) or https://cern.zoom.us/, or directly from the Google or iTunes app stores. Avoid sources that look dubious or check with us at [email protected] if in doubt. And, as for any other software, make sure that your client is kept up-to-date!

When on a call, stick to the appropriate netiquette. Remember that the meeting might be public or recorded. So do not say something you might regret later. Muting your microphone protects you against any blunder when you are not the focus (think of your kids hopping around, or offline discussions on, for example, what to eat for dinner). This is particularly valid if you use a built-in microphone rather than a headset, as it might pick up sounds from your surroundings, such as traffic or construction site noise. Also remember your web camera. It records more than just you. So ensure that your background is content free or, at least, does not show compromising or offending items. Consider switching off your webcam if it’s not really essential, in particular to reduce bandwidth consumption if the overall videoconference quality is mediocre.

If you are organising online/videoconferencing meetings, please make sure, whether you’re using Vidyo or Zoom, that you protect your meeting with an access code and ensure that this code is not publicly visible (e.g. posted on a public webpage, Twitter or a public INDICO event page)! In recent weeks, mischievous people have looked out for such unprotected meetings and spoiled the proceedings in multiple (funny and not so funny) ways: including at CERN. It also helps, if possible, to centrally disable microphones and webcams of participants by default and tightly control when screens are shared. Furthermore, record sessions only when needed and make this explicit to everyone on the call prior to starting the recording!

Finally, what is CERN’s pick for videoconferencing tools? Skype for Business and Vidyo are already established tools, which were recently joined by a CERN pilot of the popular Zoom software. The Computer Security Team has performed an assessment of Zoom using public information on the software’s security and privacy posture as well as on CERN’s Zoom configuration. Based on this assessment, the Zoom@CERN pilot instance has been configured in the most privacy-preserving and secure manner possible. The recommended video-conferencing tools for the CERN community are currently:

  • Skype for Business for meetings of a confidential nature and up to 10 people;
  • Vidyo for meetings of a confidential nature and up to 100 people; and
  • the Zoom@CERN pilot (under evaluation) for any public or quasi-public meeting with up to 500 people and meeting organisers willing to participate in the pilot programme.

______

/Public Release. View in full here.