How to secure Zoom, Houseparty and other video conferencing apps

Blog image how to secure Zoom, Houseparty and video conferencing apps

CybSafe

We are CybSafe. We’re a British cyber security and data analytics company.

May 5, 2020

We can all take steps to increase the security of video conferencing apps. This guide explains how.

General tips

Some general actions enhance the security of all video conferencing apps, such as:

1. Updating software

Software updates patch known vulnerabilities and update privacy features. So update apps when prompted! It’s one of the simplest things you can do to boost your security and privacy.

2. Turning off hardware

Consider turning off your microphone and camera when you aren’t speaking. Some video conferencing apps record video meetings. Turning off your mic and webcam when they’re not in use limits what apps can record.

3. Clearing up environments

Think through what your webcam captures. Things like books reveal your preferences, which criminals sometimes use in social engineering attacks. Notes on desks may reveal seemingly innocuous – but confidential – information. On some apps, you can use virtual backgrounds to limit what people can see.

4. Taking control

If you take one thing from this guide, it should be that you can enhance your own security. Securing video conferencing software might seem daunting. But you decide how strong your defences are. Security is all about layers and the more security layers you add, the more secure you – and those joining your call – become.

 

How to secure Zoom

Preventing “zoombombing”

In the past, Zoom meetings have been criticised for being easy for hackers to disrupt. So take steps to prevent “zoombombing”.

1. Keep URLs private

This one’s easy. Think twice before sharing your conference URLs (by which we mean meeting and webinar URLs – more on this below) publicly. Doing so is an open invitation to strangers.

2. Ditch your personal meeting room

When you join Zoom, you’re assigned a personal meeting “room”. Your room has a static URL. Under certain conditions, that makes it possible for those who learn of your room URL to join your room at any time. So don’t use it. Instead, generate a new, random URL for each meeting. This video shows you how.

3. Use waiting rooms

Zoom waiting rooms are virtual staging areas. They stop people from joining your conferences until you’re ready for them. Waiting rooms let you vet participants before you get going and, when used in conjunction with locks (see point 4 below), they help you control who joins your conferences.

4. Lock conferences once they’ve started

This prevents anyone further joining.

5. Password-protect conferences

Zoom conferences are password-protected by default. Whenever possible, keep them password-protected. This prevents “brute-forcing”, in which uninvited hackers use software to find, join and disrupt Zoom conferences.

6. Only allow signed-in users to join

This helps ensure only invited participants can join your conferences.

7. Favour webinars over meetings

By default, all Zoom “meeting” participants can share their screens, video and audio. In default Zoom webinars, only hosts and designated panelists can share their audio and video feeds. (Note though, webinars are a paid-for feature.)

Protecting your privacy on Zoom

In the past, some have criticised Zoom’s approach to privacy. 

Recent criticisms largely stem from the fact Zoom falsely claimed its meetings were end-to-end encrypted. End-to-end encryption would ensure not even Zoom could access data in transit. It’s a claim the company has since admitted is false.

Avoid discussing confidential information – no matter who it relates to – via Zoom. If you must discuss confidential information via video conferencing software, consider using an alternative. Apple’s FaceTime and Google Duo are both end-to-end encrypted, as is Signal

Signal is privacy focused. Unfortunately, it’s not currently possible to hold group video calls via Signal.

 

How to secure Houseparty

Keeping rooms private

As with Zoom, it’s possible for strangers to join Houseparty “rooms”. In fact, the app is designed to facilitate intermingling. 

Say you’re sharing a room with a friend. By default, any of your friend’s friends can wander in… just as they might in a physical party. It’s designed to help socialising… but it does mean you’re likely to run into strangers!

If you’d prefer to keep rooms private, you can lock them by enabling Houseparty’s private mode via its settings. Alternatively, you can lock individual rooms once all expected participants have arrived by tapping the padlock symbol at the bottom of your screen. 

Other friends can still request to join locked rooms… but they won’t be able to join without permission.

Protecting your privacy on Houseparty

Houseparty’s privacy policy reveals it collects “anonymized and aggregated information, such as de-identified demographic information” and “de-identified location information.” Translated, that means it records information about you, including your location. So disable location tracking via settings to prevent it from doing so. You may want to use false demographic data to protect your personal data, too.

Houseparty and hacking

Towards the end of March 2020, rumours began circulating linking Houseparty to the hacking of Spotify, Netflix and other accounts. Weeks on, evidence substantiating the rumours is yet to emerge.

Many believe the link was a coincidence and that the hacking of multiple accounts in unison was more likely exacerbated by people reusing passwords than it was by downloading Houseparty. To prevent criminals hacking any of your accounts, you can use unique passphrases and multi-factor authentication.

How to judge if an app is safe

Houseparty was relatively unknown before the outbreak of COVID-19. It begs the question: how can you tell if an app is safe to download?

Unfortunately, no app comes with an iron-clad security guarantee. That doesn’t mean you should never download apps! It just means you should consider whether the benefits of an app really outweigh its risks before doing so. 

When you do download new apps, only ever download them from reputable sources such as Apple’s App store or Google’s Play Store. 

Check the number of times an app has been downloaded. As a general rule of thumb, the more downloads an app has, the safer it is. Check reviews too, and the permissions an app requests from your device once it’s installed. A video conferencing app is going to need access to your mic and camera. But a weather app? Probably not.

Android users should enable Google Play Protect, Google’s built-in malware protection software for Android, as an extra security layer.

Which video conferencing app should you use?

It really depends!

Video conferencing apps are designed for different purposes. Houseparty was designed to facilitate online socialising. Zoom, meanwhile, was designed to facilitate business conversations.Bear in mind that neither are as private as they could be. For confidential matters, consider an alternative. 

Signal has a great track record when it comes to privacy and security if you only need to chat to one person. FaceTime is end-to-end encrypted, as is Google Duo

Cryptographer Gary Belvin’s Medium post has a handy chart highlighting the features and security of all these… plus quite a few more. 

Finally, if you’re going to discuss something confidential, turn off listening devices such as Alexa or Google Home before you do!

How to make sure remote workers learn security skills from others – Part 2

How to make sure remote workers learn security skills from others – Part 2

As we discussed in part one of this post, isolation restricts remote worker security. (Read part one here before continuing.) Remote workers can’t watch others. They rarely receive verbal feedback. And even if they did, remote workers tend to feel their environment prevents security – which limits their learning. That’s all proven to cap remote worker security. So what can you do about it?

read more