CyberCorps Graduate Student Offers Insight to Security of Video Chat Apps
The year 2020 will be remembered in software circles as the time when video conferencing became mainstream because of health risks associated with COVID-19, so NJIT graduate student Ramon Salvador decided to learn about video conferencing security for his final project, a requirement of Ying Wu College of Computing’s CyberCorps Scholarship for Service program.
CyberCorps, part of NJIT’s Secure Computing Initiative, is sponsored by the National Science Foundation. Students pursue an M.S. in cybersecurity and privacy, supported with full tuition and a stipend. In return, students are expected to work as cybersecurity professionals in a government agency.
Salvador, of Carteret, N.J., studied three popular video conferencing applications — Zoom, Microsoft Teams and Google Meet — this summer in conjunction with Mohammad Husain, associate professor of computer science at California State Polytechnic University / Pomona.
"Because of the pandemic and everything, video conferencing applications are extremely important right now," Salvador noted.
His project goal was to learn how the security systems work, not to conclusively state which systems are the best or worst, nor to speak for Ying Wu College of Computing.
Of the three services, Salvador said his opinion is that Microsoft Teams is probably the best choice for Windows users, while Google Meet is the safest option for people who use Apple or Linux computers including iOS and Android devices.
Zoom, he said, is getting safer after a round of well-documented security glitches earlier this year, but it's still not terribly safe overall. It is banned by many organizations and government entities. Salvador said he avoids it, although it likely remains the easiest-to-use choice for people who aren't technically savvy and those who must communicate in groups of heterogeneous operating systems.
Salvador explained that he wasn't able to examine the content of data packets nor could he look at source code, but he did evaluate each program based on its encryption level, user authentication, anonymity and other factors. He considered each program's forward secrecy, which tests whether a hack tomorrow could read messages sent yesterday. He devised some of the factors himself, with others coming from suggestions by the Electronic Frontier Foundation, which is a widely respected user advocacy organization.
He found that Zoom sends a substantial amount of unencrypted packets, while Zoom also sends metadata back to its servers. Google Meet on one occasion sent an unencrypted piece of data, which Salvador believes was related to a text message, although he wasn't able to replicate it. "It was the most interesting thing about my research," he said.
It's likely that Apple Facetime and Cisco Systems WebEx are also quite secure, although he did not test those. Facebook Messenger and other applications are also untested and perhaps security wildcards.
Salvador will go to work for a government agency after receiving his degree next spring, thereby meeting his requirements for the federally funded scholarship.
But he said the research itself was immediately rewarding. He will probably publish it in an IEEE journal. "To be honest," he said, "This whole experience has been so good, I do want to continue the research here. I am in touch with the professor."