Video Calls May Not Be Safe, Researchers Say

Your video calls may not be as secure as you think, according to new research. 

Cybersecurity firm McAfee has released a report uncovering a new vulnerability in a video-calling software development kit (SDK). Hackers could exploit this vulnerability to spy on users’ live video and audio calls. Dating apps such as eHarmony and Plenty of Fish were among those identified as using the vulnerable SDK platform.

"Whether you are attending regular virtual work meetings or catching up with extended family across the globe, as a consumer, it’s important to realize what exactly you’re getting into when downloading applications that help you stay connected," Steve Povolny, head of McAfee Advanced Threat Research said in an email interview.

"As the rapid, broad adoption of video conferencing tools and apps occurs, potential threats to online safety will inevitably emerge."

Many Threats to Video Chats

The SDK, provided by the software firm Agora.io, can be used by applications for voice and video communication across many platforms, such as mobile and web. It’s unknown how many other apps could have been impacted, Povolny said.

Since McAfee discovered this security issue, Agora has updated its SDK to provide encryption. But experts say that many types of video communications remain vulnerable to hacking. 

Anything connected to the internet can be hacked, pointed out Joseph Carson, chief security scientist at cybersecurity firm Thycotic, in an email interview.

"Any devices that contain cameras can absolutely be abused to record video, analyze that data, and perform voice or facial recognition," he added.

"In many incidents, the vendors who manufacture them do not provide the ability to turn them off, which means they focus purely on ease of use and almost always sacrifice security as a result."

The number of people using video conferencing platforms has increased dramatically, with many people forced to work from home during the coronavirus pandemic, Hank Schless, senior manager of security solutions at cybersecurity firm Lookout, said in an email interview.

"Malicious actors know that there are many new users who are unfamiliar with the apps they can exploit," he added. "In this type of campaign, they often use both malicious URLs and fake message attachments to bring targets to phishing pages."

Insider Attacks are the Biggest Threat

Video calling is most vulnerable when the call is recorded and stored on a third-party server or on the app provider's server, Hang Dinh, a professor of computer and information sciences at Indiana University South Bend, said in an email interview.

For example, video calls on Facebook Messenger are stored on Facebook's servers and can be viewed by Facebook's employees. 

"If one of their employees is not careful with security, your calls can be hacked," Dinh added. "Remember that Twitter was also hacked because of an insider's fault."

To make their communications more secure, users should choose end-to-end encrypted video calls such as WhatsApp, Google Duo, FaceTime, and ExtentWorld, Dinh said.

"Being end-to-end encrypted means the calls are not stored and decrypted on any third party server, including the call provider's servers," she added. 

Popular video conference software Zoom also recently began offering end-to-end encrypted video calls. Still, the encryption feature on Zoom is not turned on by default, Dinh noted. 

For most people, the most significant risk to video hacking is eavesdropping, Chris Morales, head of security analytics at cybersecurity company Vectra AI, said in an email interview.

"The other risk is the disruption of a session with shared images and sounds," he said. "Think of it like digital graffiti."

To keep out hackers, users should have passwords for all video conferences, Morales said. 

That password should not be posted publicly and should be shared privately. The moderator can also, by default, enable mute on all participants and disable screen sharing features. "How strong that password is will still impact the ability for someone to access a current session," he added. "But it is much better than no password at all."