Just a few weeks ago, video conferencing was primarily a tool for corporate users to conduct business with remote workers, customers, vendors, etc. Now, it’s a lifeline. As so many of us stay home to stay safe from the novel coronavirus, video conferencing is not just keeping businesses up and running, but keeping communities of all types connected. Whether it’s keeping up with lessons and classmates, celebrating a friend’s birthday, online happy hours with co-workers, or even getting your band together to practice, people across the world are turning to Zoom and other video conferencing tools to maintain some social normalcy in this extraordinary time.
The dramatic rise in video conferencing has attracted hackers and trolls looking to exploit security flaws and vulnerabilities. Recently, a phenomenon known as “Zoombombing” is happening where intruders hijack public and other unsecured Zoom calls, and project offensive content using the platform’s screen-sharing feature. The situation has become so critical that, at the end of March, the Office of the Attorney General of New York sent a letter to Zoom regarding its concerns over security measures to handle increased traffic and hacking on its network.
And it’s not just Zoom. GoToMeeting and WebEx are experiencing the same kind of intrusions.
Although most video conferencing platforms rely on user authentication and identity management using password credentials, or might encrypt messages end-to-end, these approaches do not necessarily protect a video stream. Moreover, encryption alone is not enough to protect video and, at the very least, there is a need for a service that manages keys used to encrypt the video content from meetings, webinars, chats and file sharing activities. So, how can you protect video streaming from threats and vulnerability?
Adding layers of security
Simple AES encryption is not enough
Without a secure way to exchange encryption keys, encryption cannot adequately protect streaming video. When the key itself is revealed to the hacker, encryption is of no use. Encryption must be supported by a secure key exchange protocol. For example, TLS (Transport Security Layer) is the industry standard networking protocol used for cloud software and other applications that require data to be securely exchanged over a network. The security of TLS is enabled by using cryptographic algorithms mutually supported by client and server. These cryptographic operations ensure data and video content remains secure during transmission from end to end.
TLS can be used by video conferencing platforms instead of only utilizing AES encryption with clear keys, where anyone with basic web development skills can retrieve the key. A cloud-based service that offers key generation and key management for a TLS protocol suitable for video conferencing application, provides an additional security layer above and beyond a stand-alone encryption scheme for protecting video content, which is simply rejected by most content owners.
Secure keys for trusted communications
The secure connection offered by TLS protocol is only protecting the communication from the client to the server, but what if an attacker gains access to the keys used to secure either end of the TLS connection? The malicious actor can simply use the key to decrypt the communication and read the data, alter the information in transit, or masquerade as a legitimate device. Without a method for keeping security keys secure, data integrity and security are at risk.
Another important tool is a white-box cryptographic technology that can be used to ensure the encryption keys and other secrets are protected. It does this in such a way that the keys are never in the clear in the device memory, even when in use. That’s important as it stops hackers from using open-source tools and techniques to search through the memory looking for encryption keys.
A multi-DRM service for video conferencing
Digital rights management (DRM) provides additional layers of security beyond a secure key exchange protocol offered by TLS. With DRM, the content keys are at no time directly exposed in the clear to any user. Instead the content keys are encrypted in the DRM licenses along with usage rules specifying which users or devices have access to the content keys.
A state-of-the-art DRM system provides three elements of additional security: (1) the header data is a proxy for the key, which is then validated by (2) the Content Decryption Module and (3) the license server collectively. These additional layers of security effectively protect any type of streaming video.
The main benefit with using a DRM technology for video conferencing platform is that keys that are used to encrypt video and data generated during a video conference session are also protected. This extends to each point of the delivery chain: from secure key delivery to the viewer, to secure key handling on devices. This protection solution is what content owners recognize widely.
Tackling new security challenges
We’re all living a new reality these days – what seemed normal a few weeks ago does not measure up to the new challenges ahead. We salute everyone in medicine, food services, government, tech and elsewhere that has stepped up to help us get through this time. Our expertise is security and we are using it to help businesses and communities stay connected securely with DRM.
About Ali Hodjat
Ali Hodjat is the VP Marketing for Intertrust ExpressPlay. He has extensive experience in leading product management and product marketing activities in the fields of content protection and pay-TV security, anti-piracy, and IoT security solutions.