As many of us are grappling with the transition to working from home due to the coronavirus outbreak, video conferencing platforms suddenly experiencing a surge in user numbers are, on the whole, meeting the security challenges associated with uptake.
The COVID-19 pandemic, which at the time of writing has reached close to three million cases worldwide, has resulted in the imposition of social distancing measures including the closure of business premises.
Without warning, both SMBs and large enterprise companies alike have had to find remote solutions for maintaining communication between employees and keeping operations going — albeit, in many cases, at a limited rate.
However, now these tools have unexpectedly become important factors in our daily lives, this has shone the spotlight on the vendors behind these platforms and their security postures.
However, on the whole, a new report suggests that vendors are working on improving the situation and the majority of popular teleconferencing solutions now meet at least minimum security standards.
On Tuesday, Mozilla released a study, *Privacy Not Included, exploring the security posture of these solutions. In total, 15 products were tested, 12 of which have met basic cybersecurity criteria.
The research is based on Mozilla’s Minimum Security Standards: a level of encryption must be in place, security updates must be issuable, when users sign up they must have to create a strong password, privacy policies must be clear and without jargon, and there must be a way for cybersecurity researchers to be able to report software vulnerabilities — such as through a direct line or bug bounty program.
This does not mean an app is fully secure or keeps privacy at the heart of operations, but it does indicate that at least basic security measures to protect user privacy are being met.
In total, 12 out of 15 platforms have now met Mozilla’s standards — Zoom, Google Hangouts, Apple Facetime, Skype, Facebook Messenger, WhatsApp, Jitsi Meet, Signal, Microsoft Teams, BlueJeans, GoTo Meeting, and Cisco WebEx.
However, Houseparty, Discord, and Doxy.me — a telemedicine app — have failed in the basics.
According to Mozilla, Houseparty, owned by Epic Games, did not meet the strong password requirement to pass the test. A minimum of five characters is required, but “12345” was still considered acceptable.
Discord, too, failed in the same area. Passwords must have at least six characters, but using “111111” is considered perfectly fine. In addition, this platform will collect user contact information if it is connected to a user’s social media, the report suggests.
Doxy.me, however, may be the most serious breach considering the app is aimed at patients and clinicians. The app claims that HIPAA, GDPR, PHIPA/PIPEDA, & HITECH security standards are met, of which Mozilla says may be the case depending on the version in use by clinicians, but password requirements fall extremely short.
Only healthcare providers need to use a password, but this can be as weak as “123.” There is no option for implementing two-factor authentication (2FA).
Doxy.me can only be accessed through a web browser, and therefore, the security of the platform relies on users making sure their browser is up-to-date. Mozilla was unable to ascertain whether or not a vulnerability disclosure platform is in place.
“With a record number of people using video call apps to conduct business, teach classes, and catch up with friends, it’s more important than ever that this technology be trustworthy,” commented Ashley Boyd, Mozilla’s Vice President of Advocacy. “The good news is that the boom in usage has put pressure on these companies to improve their privacy and security for all users, which should be a wake-up call for the rest of the tech industry.”
ZDNet has reached out to Epic Games, Discord, and Doxy.me and will update when we hear back.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0