no downloads conferencing

No Downloads = Better Security

Ryan Murphy
January 27, 2020

In 2019, a major cloud conferencing provider  created major security vulnerabilities for their customers. You probably know who I’m talking about.

But I’m not here to trash them. I want to use their experience as a cautionary tale. They’ve certainly learned from it.

Their platform is easy to use. It has a nice interface, but that’s only half of it.

The other half is that it’s easy to set up. It doesn’t get hung up in networking or firewall issues. To those who have battled when trying to set up video conferencing, this is a godsend. Seems too good to be true.

Turns out it was. Their platform opened security vulnerabilities in their customers’ infrastructure, and exposed a fatal flaw in their development philosophy: by putting ease-of-use above security failsafes, conferencing suite developers risk their customers being hacked and spammed, and their privacy compromised.

Here’s what happened, in a nutshell:

Security Issue One

In order to make and receive calls from a Mac computer, the installed app created a local server on the hard drive. This local server bypassed the Safari browsers security. Experts demonstrated that hackers could access this server and take control of the app. Control of the app meant control of meeting and cameras. Websites could open a meeting and spy on users through their own hardware.

Hackers could also effectively launch a DDoS attack against the user by constantly pinging the local server, resulting in a Denial of Service (DNS).

Again – it is important to note that this method of service delivery was developed to make it easier for Mac users to connect – Safari security makes it tricky. But that same security also protects from problems like the above.

Security Issue Two

Users download an app inside their firewall and connect it with their standards-based room devices. The app creates a tunnel between itself and the solution server, bypassing the firewall. Devices can now dial out to the service, and also receive calls directly from the internet.

They got into trouble here because anyone with the URL to the app could, again, take control of meeting settings and camera controls. Hackers could listen in on meetings, or make the camera appear off when it was actually on and watching. All very creepy.

A Common Theme

The apps’ functions are to bypass security protocols. Granted: getting around firewalls and navigating networks is part of what has traditionally made video conferencing so tricky. A snag-free conferencing solution is a dream come true.

They took a gamble, and it paid off for the most part. They removed barriers to entry and made the solution easy for everyone. Adoption and usage goes through the roof.

But the security measures serve a purpose, and that purpose is being bypassed.

Is there an answer, then, that can make it easy to join a meeting without sacrificing security? Until recently: no. But platforms in development today have a leg up.

The Simple-While-Still-Secure Solution

The vulnerabilities listed above happen in large part because they require downloads installed on PCs. In order to keep things simple while not sacrificing security, we’ve taken a two-pronged approach:

  1. We’ve committed to a zero-download policy.
  2. We employ device registration as a means to securely connect through firewalls.

No Downloads

We hate ’em. They slow down meetings. They put people off. We know this because previous iterations of RP1Cloud, our flagship video service, used a plug-in to run in-browser.

But thanks to improvements made to WebRTC protocols, we’ve moved our desktop experience entirely in-browser. Hosts and participants meet on a webpage rather than via a local server. All they need do is click a link, type their name and the service, and join. It’s as close to the audio-conferencing experience as it gets. Even the meeting management dashboard, reached via the RP1.VC portal, is hosted entirely online.

And best of all, no one can gain access to your PC or its components.

Device registration

We have a solution that makes it easier to connect room systems to meetings. It’s called device registration. Registering a device with RP1Rooms provides a dedicated port and an authentication service that allows devices to safely accept calls from anywhere on the internet. It guarantees security. And it can be done for any SIP conferencing device.

Registering your device makes calling point-to-point a breeze. There are solutions – and usually more cost effective ones – than a 3rd party service that requires a workaround to get the job done.

Conclusion

Video conferencing is going mainstream, in no small part because of how easy it has become. But that ease-of use can’t come at the cost of security. It’s important for users and IT professionals to do their homework and understand how solutions fit within their network. Take the time to get to know how and why it works, and which platform is the best fit for your business.

 

About the Author

Recent Posts