As many of us grapple with the transition to working from home due to the coronavirus outbreak, video conferencing platforms suddenly experiencing a surge in user numbers are, on the whole, meeting the security challenges associated with uptake.
The COVID-19 pandemic, which at the time of writing has reached over three million cases worldwide, has resulted in the imposition of social distancing measures including the closure of business premises.
Without warning, both SMBs and large enterprise companies alike have had to find remote solutions for maintaining communication between employees and to keep operations going -- albeit, in many cases, at a limited capacity.
However, now these tools have unexpectedly become important factors in our daily lives, this has shone the spotlight on the vendors behind these platforms and their security postures.
However, on the whole, a new report suggests that vendors are working on improving the situation and the majority of popular teleconferencing solutions now at least meet minimum security standards.
On Tuesday, Mozilla released a study, *Privacy Not Included, exploring the security posture of these solutions. In total, 15 products were tested, 12 of which have met basic cybersecurity criteria.
The research is based on Mozilla's Minimum Security Standards: a level of encryption must be in place (although strength can be variable), security updates must be issued, when users sign up they must have to create a strong password, privacy policies must be clear and without jargon, and there must be a way for cybersecurity researchers to be able to report software vulnerabilities -- whether through a direct line or a bug bounty program.
Meeting the above criteria does not mean an app is fully secure, but it does indicate that at least basic security measures to protect user privacy are being met.
In total, 12 out of 15 platforms have now met Mozilla's standards -- Zoom, Google Hangouts, Apple Facetime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx.
However, Houseparty, Discord, and Doxy.me -- a telemedicine app -- have apparently failed in the basics.
According to Mozilla, Houseparty, owned by Epic Games, did not meet the strong password requirement to pass the test. A minimum of five characters is required, but "12345" was still considered acceptable.
"Houseparty maintains industry-trusted encryption and security measures to protect customer data," the company told ZDNet in response. "We are continuously reviewing and improving security practices at Houseparty and remind all of our users it's a best practice to use strong passwords."
Discord, too, reportedly failed in the same area. Passwords must have at least six characters, but using "111111" is considered perfectly fine. In addition, this platform will collect user contact information if it is connected to a user's social media accounts.
Discord told us:
"Discord takes user privacy very seriously. We're pleased to get a high score from Mozilla on their minimum security standards, and we are currently working with them to ensure they have all the information regarding our privacy and security features.
Regarding passwords, today we have updated our settings to prevent passwords that aren't complex enough or that have been previously compromised by another service from being used.
In addition, we use a feature called IP Location Lock that provides deep protection for our users and encourage all our users to adopt two-factor authentication."
Doxy.me, aimed at patients and clinicians, also did not meet Mozilla's standards. The app claims that HIPAA, GDPR, PHIPA/PIPEDA, & HITECH security standards are met, of which Mozilla says may be the case depending on the version in use by clinicians, but password requirements fall short.
Only healthcare providers need to use a password, but this can be as weak as "123." There is also no general option for implementing two-factor authentication (2FA).
Doxy.me can only be accessed through a web browser, and therefore, the security of the platform relies on users making sure their browser is up-to-date. Mozilla was unable to ascertain whether or not a vulnerability disclosure platform is in place.
Doxy.me told ZDNet that as the app utilizes browsers, this "trust system" should ensure core infrastructure remains secure. In addition, while there is no official bug bounty program, the company does work with independent researchers and conducts penetration tests on a frequent basis.
Doxy.me confirmed the minimum password security requirements, but said that as no patient data is stored, passwords are intended to be flexible enough to work with existing client and organization password policies.
However, Doxy.me added that password strength is an area the company is "working towards improving."
2FA can be implemented in the higher tiers of subscription accounts, and on the lower tier, existing authentication can be used via services such as logging in with Google or Facebook.
"With a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it's more important than ever that this technology be trustworthy," commented Ashley Boyd, Mozilla's Vice President of Advocacy. "The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry."
Previous and related coverage
- Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks
- Firefox 74 is out: Here are the key changes and features
- Mozilla enables DOH by default for all Firefox users in the US
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0