Security tips for broadcasters using videoconferencing calls for live shots
As more and more broadcasters rely on Zoom, Skype, Google Meet and Duo, FaceTime or other videoconferencing solutions for “live shots” for guests, correspondents and anchors there are some security issues to be aware of.
With the astronomical rise in use of these services by educators, businesses and the general public during the coronavirus pandemic, the services have also started to become the target of hackers and scammers.
There have been reports, for example, of school calls and business meetings being interrupted by so called “Zoombombing” tactics that result in unauthorized third parties “entering” the call and, in some cases, inserting explicit content that’s visible to everyone involved.
Unfortunately, broadcasters can be just as susceptible to these types of intrusions — with the added damage of having a fraudster’s antics go out over the air.
The exactly security steps will vary greatly depending on the device and service being used as well as how it’s integrated from a technical standpoint.
H.323 and SIP connections may have separate challenges or options from using services’ native apps.
However, here’s a list of general best practices:
Passwords and PINs
- If possible, password or PIN protect all incoming video calling tools. Change this password regularly if the service allows it. While this does add to the complication of having to let everyone know what the password is, it’s probably one of the best ways to prevent an intrusion.
- If your service allows it, use a password that is a combination of letters and numbers. Some videoconferencing solutions only allow numbers, but others do allow a mix of both. A password with letters and numbers will almost always be stronger than just a numerical one.
- Keep in mind that some platforms include the password (either “hashed” or not) in the path or URL.
- Keep in mind that, when conveying password and access information, that email and phone calls are not secure forms of communication and anyone overhearing login information or having access to the account could potentially get call login information.
- Remind users within your organization to use security best practices for their accounts on video calling services, including using strong passwords. Many efforts to enhance security will be moot if someone is able to hack into an account.
- Avoid using predictable or easy to guess usernames or passwords such as your station or network name, channel numbers or other easy to guess sequences.
- Always connect via encrypted or HTTPS connections if possible.
Call software features
- Take advantage of “waiting room” or similar features that require the host to manually allow people into a call. Assign this responsibility to someone on your team who is aware of who is booked to appear as well as that person’s name or username on the service in question. Disable features that allow callers to join before the host.
- If possible, consider disabling video or audio or muting new callers by default. Likewise, you may also want to “lock” a meeting call once everyone is connected.
- Consider the risks of using the same “instant” or “personal” meeting ID for all of your hits. While it’s obviously more convenient to stick with the same information all the time, it also increases the risk that someone will eventually find out what it is, especially if you’re inviting people from outside your organization.
- Many videoconferencing solutions rely on the “unlisted number” concept — by using some kind of pseudo random string for meeting IDs or access control. While this does mean it can be hard to guess an ID, it’s not impossible. Likewise, and going back to the origin of the “unlisted number” concept, no phone number is completely secret since they follow predictable patterns.
- It’s also worth noting that many videoconferencing solutions also allow you to assign a time and date to each call — and the system can reject anyone trying to access the call outside of those times. This is another good layer of security, but there have already been reports that meeting IDs, titles and dates and times have been circulating on the dark web.
- Because of meeting names with high profile network or personality names could end up on the dark web, don’t use any easily identifiable information in meeting titles. That way, even if the information gets out there, it won’t attract as much attention if it’s a generic name.
- Disable any features that your users won’t need, such as screen sharing, whiteboards, filters or chat. Not only does this reduce the chance of someone accidentally activating them it also gives you more control over what makes it on air.
- Keep up to date with the latest security notices and updates that each tool announces by signing up for email alerts or checking blogs. Also be sure to update any apps, plugins or programs regularly, if applicable, to ensure you’re getting the latest security features.
- If possible, visually verify that the person joining the call is the correct person before allowing them to log in to the call or appear on air. In many cases, it’s not hard for a scammer to assume the username or even phone number of someone else so verifying these is only one step of the process.
- If applicable, keep phone numbers, usernames or other identifiers assigned to accounts as confidential as possible. It may be advisable to change these from time to time as well.