Cisco, Zoom and Others Must Bolster Security, Say Privacy Chiefs

2020-07-23T15:57:53
ID THREATPOST:F8522D3E6CEA7C0D6658D0DFB6CC4D54
Type threatpost
Reporter Lindsey O'Donnell
Modified 2020-07-23T15:57:53

Description

Global privacy commissioners issued a joint public decry against leading video conferencing companies such as Cisco Systems, Microsoft and Zoom to demand the companies beef up their security and privacy strategies.

The critique was delivered via an open letter published by data protection and privacy commissioners from Australia, Canada, Hong Kong, United Kingdom and Switzerland.

The letter, sent Tuesday, is in response to a litany of security flaws and privacy holes reported (and mostly patched) in popular videoconferencing platforms and applications.

“During the current pandemic we have observed some worrying reports of security flaws in VTC (video teleconferencing) products purportedly leading to unauthorized access to accounts, shared files, and calls,” said the open letter, titled “Joint statement on global privacy expectations of Video Teleconferencing companies.”

The criticisms come amid the soaring popularity of video conferencing platforms, driven by work-from-home policies tied to the Coronavirus pandemic. The video conferencing market is white hot. Market research firm Global Market Insights reported the video conferencing market was worth $14 billion in 2019 and is projected to grow to $50 billion by 2026.

The joint letter urged the providers to adopt measures such as end-to-end encryption, strong passwords and two-factor authentication (2FA). End-to-end encryption has been a spotlight problem for Zoom, which earlier this year came under fire for announcing that it would only offer the feature to paying users.

These security considerations are especially critical for video conferencing users with sensitive information, such as hospitals, medical consultations and online therapists, according to the letter.

“Your organization should remain constantly aware of new security risks and threats to the VTC platform and be agile in your response to them,” according to the authorities. “We would anticipate that you routinely require users of your platform to upgrade the version of the app they have installed, to ensure that they are up-to-date with the latest patches and security upgrades.”

The privacy of user data was also a concern addressed. The commissioners urged video conferencing providers to create “privacy conscious” default settings for their platforms, such as implementing strong access controls by default and clearly announcing new callers. The measure is in response to various video conference meetings being hijacked by cybercriminals during the pandemic.

These incidents happened most frequently in Zoom users – including both during school meetings and in private government meetings – earning the perpetrators the name “Zoom bombers.”

The letter also urged platforms to implement features allowing business users to seek other users’ consent and minimizing personal data captured, used and disclosed. Other “principles” that video conferencing platforms are urged to re-evaluate revolve around transparency, end-user control and “knowing your audience.”

“Particular attention should also be paid to ensuring that information is adequately protected when processed by third-parties, including in other countries,” according to the letter.

Remote-collaboration platforms have been facing scrutiny for months, with Zoom, Slack, Trello, WebEx and Microsoft Teams facing threats of vulnerabilities, credential stuffing, social engineering, and privacy flaws. While the letter is intended for all video conferencing services, Microsoft, Cisco, Zoom, House Party and Google were sent the letter directly.

“We welcome responses to this open letter from VTC companies, by Sept. 30, 2020, to demonstrate how they are taking these principles into account in the design and delivery of their services,” according to the commissioners.