Security experts warn of mobile-conferencing risks

Mobile videoconferencing should be taken as seriously as the desktop in terms of security, say experts

Mobile videoconferencing may be a new application for enterprises, but it needs the same security priority as other systems, according to experts.

According to Eric Hoh, vice president at Symantec Asia-Pacific and Japan, the introduction of videoconferencing on mobile devices has added new entry points for security threats.

"The consumerisation of IT has changed the way the chief information officer or chief security officer deals with the threat landscape," Hoh said. "Increasingly, employees are using a variety of mobile devices to connect to corporate networks."

Ong Geok Meng, Asia-Pacific and Japan head of the anti-malware research team at McAfee Avert Labs, said companies should give mobile and PC security equal weight.

Ong noted that more software vulnerabilities had been found in PCs than in smartphones, but that does not rule out the need to secure mobile devices. Most organisations fail to ensure mobile devices are as secured as other devices on their network, he added.

According to a Symantec survey conducted last year, nearly half of businesses in Asia allowed mobile devices to access office email, but fewer than one-third of mobile-security policies were implemented.

Paul Ducklin, Sophos's Asia-Pacific head of technology, said companies may bypass traditional security measures when pressed for time.

In a web conference, for instance, some companies assume keeping invitation lists private provides sufficient security because there is a lower risk of eavesdropping on a meeting that lasts for only about an hour. "But an hour is a long time on the internet clock," Ducklin told ZDNet Asia.

Furthermore, communications tools offer more connectivity than organisations may realise — and consequently, more security holes, he added.

Ducklin listed examples, including videoconferencing software Skype, that also offer direct file-transfer and PC desktop-sharing options. "Systems administrators going for technologies such as VoIP and videoconferencing need to make sure they aren't also unintentionally implementing these features as an unexpected side channel in their online conferencing system," he said.

"If you don't explicitly need these features in your web meeting, make sure they are turned off. If they can't be turned off, find another web-conferencing tool," Ducklin added.

Chia Wing Fei, security response manager at F-Secure's security labs, thinks companies should wait for the dust to settle before deploying videoconferencing to mobile devices. He said: "There is always some sort of security risk for early adopters of technology."

Chia gave Wi-Fi as an example of a technology that had undergone many security improvements since its debut before organisations could safely implement it. "The first question an organisation should ask is whether they really need mobile videoconferencing," he said.

Networking vendor Cisco recently released a web-conferencing application that runs on smartphone-based browsers, connecting its WebEx customers to their mobile users. According to Cisco, the application was made available for Apple's iPhone in January. The tool was expanded in February to include BlackBerry devices, and Nokia and Samsung phones.

Alcatel-Lucent earlier this month also launched smartphone support for its OmniTouch 8400 Instant Communications line of products.