21.04.2020

Cyber Security In Industry – When Video Call Security Really Matters

The question that we are most commonly asked is: ‘How does POINTR differ from Skype?’ This demonstrates not only how similar many competing video call solutions can appear but also how strong a foothold consumer solutions have gained in the industrial sector.

As the trend in remote working rapidly increases all over the world, the industrial sector has been steadily adopting remote guidance processes, as an alternative to costly and time consuming business travel. In the present ‘Corona climate’, with business travel suspended until further notice, remote guidance is now seen as the only practical way to keep business running. This sudden and unexpected change in conditions brings into sharp focus the solutions that are available, especially as easily available consumer and office solutions, such as Skype, Zoom, Microsoft Teams, and WhatsApp, ‘leak’ into industrial use.

In light of the latest news about Zoom (Ars Technica, Tech Crunch, Business Insider, Vice) and what is known about Skype’s (Comparitech, Heimdal Security), Teams’ (Geek Wire, Borncity), and WhatsApp’s (Threat Post, Forbes) vulnerabilities, the security protocols of the applications seem to have more holes than a good Swiss cheese. 

Security is known to be a major concern for video communication apps. In terms of  video conferencing, calling and guidance solutions, security consists of three elements: data security, traffic encryption, and privacy. 

Cyber security is a complex matter
Cyber security is the topic of the new decade

All platforms claim to take security ‘very seriously’. However, by looking more closely at their practices and protocols, it is evident that these assurances are nothing more than ’empty rhetoric’. By way of example, Zoom, in a recent interview in The Intercept, claimed that their calls were “end-to-end encrypted”, before finally admitting that end-to-end encryption is not possible in Zoom.

Cyber security will increasingly be of vital importance during the coming decade. Companies have been forced to quickly learn hard lessons, as changes to data protection laws start to catch up with the realities of the digital era and the COVID-19 remote work boom has impacted everyday life, pushing the subject firmly onto centre stage.

But what exactly are the critical issues when using these solutions in the industrial sector?

Reliability

We have all been there: starting a video meeting at the last minute, praying that you find the link to join and crossing your fingers that it works without a hassle. Or, the moment before a Skype call, hoping to hear and see something other than robot noises and what looks like modern art.

For personal and office use, high quality networks are usually available. If and when these communication solutions are not working properly, it is largely an issue of nuisance and inconvenience. 

In industrial conditions, when communication solutions are not working reliably it can be both expensive and potentially hazardous!

To be deemed reliable, a communication app must work whenever and wherever you need it. It must work even when network conditions are not perfect, without losing the call or destroying image and audio quality.  A lack of reliability in office and C2C communication is merely frustrating – in industrial use, unreliability can be life threatening and cause severe financial loss.

That is why solution reliability is critically important. When supporting someone with a technical problem, you must ensure you are both seeing  the same object: that the button, valve, or screw that you are pointing at is,  for certain, exactly the same one that is being viewed at the other end. You must to be able to see clearly what is going on at the other end, not a pixel mush. You do not want to start the same call five times because it crashes due to network problems. We would all prefer that nuclear facility personnel are communicating with a video tool that works reliably when they need support.

Security

In 2019, cyber crime resulted in at least $3.5 billion losses for US businesses. The value of cyber crime is expected to exceed the global drug trade in profitability in the upcoming years. Slacking and taking short cuts with cyber security, exposes a business to corporate espionage, data and identity thefts, malware and ransom attacks, and sabotage. 

But why is cyber security handled so badly if it is so important? 

The simple answer is that it is a technically challenging and costly issue. Enhancing security is a big investment and is often seen as a trade off between improving usability. Usability, without true cyber security, is easier and less expensive to achieve –  and therefore to sell – which tends to tip the scale in favour of usability over security.

Different approaches to cyber security for video call solutions, really stem from different starting points. 

An office or a home, as an online communication environment, has fundamentally different cyber security requirements to a nuclear power plant, a tanker, or a paper factory. 

Starting point defines cyber security in further development
Development starting point reflects to further development

A communications app is created to meet the requirements of its original purpose and its foundation is defined for the whole solution. Solutions can be further developed for new uses and adapted to new markets but the original foundation remains and the security principals stay the same. These principals will be fundamentally different because the requirements of the solution are different. For example, not to miss a call from your mom (WhatsApp), to participate in an office video meeting (Zoom), or to provide critical space station technical support (POINTR).

When security is not at the heart of the solution, nasty and potentially dangerous security compromising bugs can be identified and exploited. Like the very recent example in Zoom that enabled attackers to steal Windows credentials.

Approach: User Based vs. Built-In Cyber Security

“There is a trade off between security and usability when picking a video-conferencing product”, states Princeton computer science professor Arvind Narayanan in The Guardian. The common security approach is ‘user based’. This approach is used when usability is valued over security while building the solution. 

 A ‘user based’ security approach means that the user is responsible for establishing a secure communication. This involves passwords; network configuration; VPN configuration and special settings in the app when establishing the call. In this approach the solution provider offers guidelines and instructions, but the onus is on the user to be secure. 

“Security is hard! It is thought to be so unusable, so unscalable. That’s why so few people use strong encryption”, summarizes Dr. Boris Krassi, CEO of the Delta Cygni Labs group. “We found a way to make security usable and scalable but it took years of development as the centre of our solution. We even had to create our own telecommunication protocol to ensure secure but usable live video communication for industry”, Dr. Krassi continues. 

Unlike in Skype, Zoom, Teams, and WhatsApp, POINTR  has all its security features built in. Therefore, users are only responsible for their own use and not for the correct network configurations or app settings. This also means that there is no way for users to cut corners or meddle with the security features which could make the solution less secure.

To be a truly secure solution, security features can never be placed on the user’s shoulders, especially when the cyber security skills gap is expected to be the biggest threat for enterprises (Security Intelligence by IBM, Forbes). Instead, all security functions: data security; traffic encryption and privacy, must be built in. This is the only way for a solution to be truly cyber secure.

Identifying a Truly Cyber Secure Solution

When all solutions claim to be secure, how can you recognise the ones that really are? If you want to use a cyber secure solution for remote guidance, make sure the solution meets the following four criteria:

1. Call protocol

Calls should be routed securely to an app without the possibility of interception or abuse. This means there are no URL link invitations, which are one of the most common and most abused security hazards in video call applications. URL invitations are always an insecure way to add participants because you cannot be certain who receives and reacts to the invitation you have sent. 

Phone numbers are generally more reliable. In POINTR all calls are based on the phone number of the recipient instead of an email invitation or shared URL invitation. This makes it impossible to gatecrash calls that users are not specifically added to, ensuring privacy and security from uninvited guests. Such problems are, for example, what Zoom users have been experiencing

It is vital that all collaboration traffic, from starting the call (‘handshakes’), throughout the collaboration, until hanging up is encrypted. It is common to have only part of the traffic, like handshakes, properly encrypted using TCP with banking level transport layer security (TLS). But the rest of the traffic is managed over less reliable and secure UDP with custom protocols or is just partially encrypted.

In POINTR, all traffic is TCP TLS1.2 encrypted, without any UDP traffic. This is a built-in security feature at the heart of our call protocol. 

2. User verification

To make certain that application use is secure, all users must be authenticated. Allowing anonymous users creates an attack surface which exposes the platform and its users to abuse. When all users are verified, calls are routed through the app and based on phone numbers. There are no anonymous calls allowed which results in very limited opportunity for misuse. Authenticating users also allows the identification of unwelcome participants and the ability to instantly block their use.

Compulsory multi-phase authentication is the most secure way to verify users. It does require some effort from users but is necessary to ensure extra security. To make things easier, but still secure and reliable, for users across the world, POINTR uses SMS authentication to verify every user and email verification to activate licences.

3. Solution independence

The solution must be a stand-alone app. It means that the application does not depend on browsers, plug-ins or network configuration.

It is a common procedure for video call apps to offer access through a browser, which makes accessing calls easier for the call recipient. In terms of usability, browser access makes sense for many office use cases. In contrast, for industrial use cases like field remote guidance, browser access does not enhance usability. 

Instead, it exposes the call to internet browser security risks, such as regular cookies. It is also good to keep in mind that the more items you need to download, the more risk there is from malware. These risks cannot be avoided when third party software like browsers and plug-ins are included. It is yet another lax and inadequate way to approach security by shifting responsibility onto the users.

Independence from network configuration is essential in industry. The cyber security protocols and requirements are strict for a reason and you do not want to start poking holes into them. Furthermore, remote guidance calls are not made inside one organisation only, rather to a network of partners, customers, suppliers and subcontractors. Expecting all these possible participants to have their networks properly configured is not realistic. This potentially leaves the solution unsecured for most of the time.

For example, Teams demands a wide range of network configuration depending on how secure you want it to be. 

VPN is commonly used in businesses of all sizes when they want to keep their online traffic secured. Even though it is such a standard practice, some video call applications do not work with it. Teams is one of these. They blame the VPN’s bad configuration but the problem is really in the solution itself.

A good rule of thumb is that a solution where security is really taken seriously uses only TCP/TLS1.2 encryption. It will not ask you to do hacks in your existing security infrastructure to allow video traffic over UDP, or network configurations in order to make it safe.

Business cyber security infrastructure must be respected
Security infrastructure must be respected

4. File share protocol

File sharing is a vital part of professional communication. It is also a major way to distribute malware. 

Sharing full files stresses the network, which affects the video call quality. But the main problem is that verifying all received files in field conditions, usually under time pressure, is simply not possible. 

The sure way to eliminate the distribution of malware through a communication solution is by prohibiting the sending of files. 

As an alternative to file sharing, the secure approach allows participants to share views on a screen. 

For example, by sharing a view of a page on your screen, you can keep collaborating without needing to file share, thus eliminating all the associated security risks.  This is the reason files cannot be sent using POINTR and screen share is used instead.