More businesses have made the switch to remote work now than even considered it before COVID-19. And all polls indicate that the majority of non-essential workers will prefer to continue working from home even after the pandemic passes. While this offers plenty of advantages, such as better work-life balance and a wider pool of talent for companies to hire from, there are some inherent data security risks to a fully virtual workspace. Two particular aspects of remote working security made the encryption headlines this week. Will your online organization benefit from some extra attention to confirm your connections to your co-workers and devices are entirely protected?
End-to-end video encryption is just the beginning
Video conferencing has become a part of everyday life for remote employees, which is why understanding the full scope of how to protect these interactions is vital to your company’s security. To this end, Lifesize CTO Bobby Beck explains that end-to-end encryption alone may not be enough to protect video calls. A lot depends on how you implement that encryption.
“In order to secure a video call, something in the middle has to be encrypted,” he told UC Today. This is why Lifesize has introduced the concept of a visual indicator within video conferences that will confirm the “middle” of the communication was not intercepted by any bad actors. This approach is more useful because the question is never whether something is encrypted, but who it was encrypted by. Authenticating the encryption is just as important as the level of encryption.
Zoom has recognized the need for enhanced security around video conferencing as well, introducing two-factor authentication to the platform “to protect their users and prevent security breaches”. During the pandemic, Zoom has also extended end-to-end encryption benefits to free accounts.
- Why True End-To-End Encryption is Important for Distributed Apps
- Is the War on Encryption a Fight Between Privacy and Safety?
Bluetooth vulnerability leaves encryption keys open to attack
Millions of laptop, tablet and smartphone users may be open to attack due to a vulnerability discovered in “dual-mode” Bluetooth devices that support Cross-Transport Key Derivation (CTKD) for pairing.
According to the Carnegie Mellon CERT Coordination Center, it is possible for the Long Term Keys/Link Keys (LTK/LK) that are generated when two devices are paired to be overwritten. “An attacker can alter the CTKD code to overwrite Bluetooth authentication keys on a device. In some instances, the authentication keys can be completely overwritten, while in others, keys can be altered to weaken encryption”.
The full extent of the “BLURtooth vulnerability” is still being determined, but it is best to share this information with your organization to ensure that no vulnerable devices are paired with company devices that contain sensitive information. Bluetooth 4.1 and Bluetooth 5.0 are currently considered the highest risk, while Bluetooth 5.1 is already being strengthened against these attacks.
The Bluetooth vulnerability highlights why it’s critical that organizations take control of machine identities like keys and certificates. To keep your business safe, you need to know how many machine identities you have, where they are located and who’s using them. Incorporating these additional layers of security will prove useful, as organizations do face a certain loss of control when it comes to their employees’ habits outside the typical office.
- Is Mobile Encryption Really an Urgent Public Safety Issue?
- Tesla Ups Its Key Fob Encryption—But Still Falls Short [Encryption Digest 11]