Recently, Der Spiegel (German investigative magazine ‘The Mirror’) published an article alleging that the NSA cracked the encryption of the UN video conferencing system. According to Der Spiegel, a quote from leaked NSA secret documents states, “The data traffic gives us the internal video conferencing system of the UN (yay!).” This article, along with an interesting write up by Paul Ducklin, further calls into question how secure conference calling is when you aren’t sure who’s on your conference call.
It’s the widespread norm that supposedly private conference invites are sent to both internal and external participants including dial-in numbers and access codes to join the call. Unless the host keeps track of who’s connected, which is often difficult or nearly impossible to do, conference calls are open to ‘eavesdropping’ by uninvited guests, especially when there are many participants on the call.
A key point is that the strength of encryption of the teleconference data stream is fairly irrelevant if uninvited guests can join the conference call simply by gaining access to (often reused) dial-in numbers and access codes in the first place. This is a weak link in corporate security that is an all too often ignored, especially considering the time and cost devoted to corporate email security systems.
This fundamental issue is at the heart of the ever-growing need to understand and implement solutions for secure conference calls and online meetings. As these articles highlight, though, it’s no longer enough to assume that encryption equals security in conferencing. Instead, people who are concerned about security of conferencing should seek out solutions that provide visibility of who is on the call. In this way they can see that there are no uninvited guests and minimize the risk of exposing sensitive information.
In a world that is becoming more global, enterprises – across sectors – host conference calls, and conferencing security should be discussed more readily at the outset of choosing a conferencing solution, rather than waiting to react until after sensitive information has been exposed.
How do you manage conference calling security at your company? Do you really know who’s on your conference call?
Image credit: USAID_Images