Security in video call applications: Microsoft Teams, Zoom and Google Meet

Antonio Gil Moyano    15 June, 2021
Apps videocalls

There is no doubt that instant messaging programmes have become an essential communication tool in our personal and professional lives. There is also no doubt that video calling applications, or the extension of this functionality to existing ones, have been a revolution during the pandemic, where they became the only form of visual communication due to the forced implementation of remote work.

There are many options, but in this article we are going to focus on some of the most professional ones, due to their connection with other applications and functionalities, always guaranteeing the security of the information shared and the privacy of communications.

Much has been written about this, including several publications that refer to a report last year by the US National Security Agency (NSA), which analysed the strengths and vulnerabilities of working remotely as a national security issue.

In our country, studies are also carried out by organisations concerned about national, citizen and business security, such as the National Cybersecurity Institute (INCIBE) or the National Cryptologic Centre (CCN) associated to the National Intelligence Centre (CNI).

We are going to focus on the report entitled Security recommendations for remote working situations and reinforcement in CCN-CERT BP/18 vigilance. In chapter 7 it talks about the security that should be applied to videoconferences and virtual meetings.

Let’s have a look at some of these recommendations:

  • The App/software must come from verified and authenticated repositories such as the manufacturer’s repositories or the application repositories of the platform providers (Microsoft, Google, Apple, Samsung, LG, etc.).
  • User and password identification and authentication must meet minimum strength requirements (e.g., recommended minimum character length, combination of letters, numbers and special characters, maximum number of failed authentication attempts, etc.).
  • Incoming connections must be accepted by the user, there must be no possibility of auto-response.
  • They should offer the possibility to access the session with or without video/audio.
  • The video sessions must comply with at least the following requirements regarding communication security:
    • Use TLS 1.2 secure channels in encrypted calls for signalling and AES-128 or 256 for media traffic.
    • SRTP traffic recommended for audio, video and media with AES-128 encryption.
    • In UDP traffic ensure AES-128 encryption and ensure that the initial key exchange is over a secure TLS channel.
  • Document sharing must ensure the confidentiality of data and repositories, as determined by the National Security Scheme.

With these recommendations in mind, let’s look at how each of the 3 recommendations we have selected fits in.

Microsoft Teams

It certainly meets all the requirements you need for a “corporate” video conferencing solution, not only because it comes from a trusted manufacturer, but because all the security and functionality comes configured in Microsoft 365 and Office365.

This makes it robust, stable, but above all reliable, which is what companies and professionals need when using such a solution. 

In this guide published by Microsoft in October 2020  https://docs.microsoft.com/es-es/microsoftteams/teams-security-guide you can see in more detail all the aspects related to how Teams controls common security threats.

Attack using a known key

  • Denial of service network attack
  • Interception
  • Impersonation (IP addresses)
  • Man-in-the-Middle attack
  • RTP replay attack
  • Unwanted instant messages
  • Malware, virus…

 Zoom

Possibly the most widely used video conferencing solution in the professional and personal sphere, it became very popular during the lockdown, it is easy to use, low cost in use and even free of charge. However, there is room for improvement in terms of security.

The privacy and security section of their website provides advice on:

  • How to set up Zoom before starting a meeting.
  • Security settings to lock a meeting, expel, mute or report participants, disable file transfer or annotation, control screen sharing, disable private chat or recording control, among others.
  • In relation to protecting the data we share, it talks about AES 256 encryption of video, audio and screen sharing, audio signatures and watermarked screenshots, also local and cloud storage encryption of recordings, and file transfer.

It also talks about the different security certifications and concerning the privacy policy they talk about the different methods of authentication using existing applications or by password, also about two-factor authentication, attendee authorisation for recordings, basic technical information of the meeting participants, storage of basic profile information…

The last 3 paragraphs are quite striking, where they expressly warn that:

  • They have never had any intention of selling our information to advertisers and have no intention of doing so.
  • They do not monitor our meetings and their content.
  • They comply with all privacy policies, rules and regulations in the jurisdictions in which they operate, including the GDPR and the CCPA.

This relates to the CCN report on the use of Zoom and its implications for security and privacy. Recommendations and good practices published in the wake of the cyber-attacks suffered during the lockdown.

In its conclusions it states that with proper configuration and safeguards, Zoom offers a safe and secure virtual meeting environment, regardless of the fact that this software is currently being targeted by cyber attackers due to its popularity.

Google Meet

As well as Microsoft, it is the video conferencing solution integrated into G Suite and connects seamlessly with Gmail, Google Calendar, Docs, Drive, Jamboard, Chromecast and more.

Here you can see the security and privacy that applies to users like:

  • Security measures to protect video calls such as anti-hacker controls or preventing anonymous users (without a Google account) from joining the meeting, among others.
  • Encryption of all data by default, between the client and Google from both browsers and Android or iOS Meet applications.
  • Double-factor authentication.
  • On privacy and transparency, they say that we as users have control over our information, and that they apply data protection laws and other industry standards. They also say that they do not use our data for advertising purposes, nor do they sell the data to third parties, just as Zoom it is striking to find these “reassuring” messages for users.
  • Security best practices for a trusted and secure meeting experience.

In conclusion, we must choose the solution that best suits our needs as a company or professional, always taking into account the integration with the different tools we use for the development of our work. If we consider this a priority, we should choose between Microsoft and Google. If what we are looking for is an application exclusively for video calls, prioritising simplicity without many requirements, Zoom would be the best candidate.

Regarding security, as we know, no solution is 100% secure, although competition has meant that all of them have implemented security measures that they did not have before and, without a doubt, the objective is to generate the trust we need in order to work sharing our information, guaranteeing the confidentiality, integrity and availability of the same.

Leave a Reply

Your email address will not be published. Required fields are marked *