After Years of Using Zoom for Teletherapy |
By: Eric DeGrove, Founder & CEO, Blink Session Aug 14 , 2019 |
Last November, 2018, a vulnerability was discovered in the Zoom video conferencing software which allowed attackers to hijack screen controls. Zoom has since fixed the vulnerability, however the problem has brought to light the security problems with allowing people to "remote control" your computer during a video call.Ref
The remote control feature found in some video conference software was developed in order for a participant to be able to control a presentation (usually PowerPoint) being run on a another computer. In the typical scenario, the participant is controlling a conference room computer connected to a projector, or something similar.
Before getting to remote control, we need to cover screen share. The ability to share part or all of your screen during a video call is useful. Screen share works by taking video (frames or pixels) of your screen or one application and sending them to other participants in your meeting. The only risk with screen share comes from unintentionally showing private information on your screen, but with remote control it is another story.
Remote control allows a participant in a meeting to send keyboard (keystrokes) and mouse inputs to a remote computer. The software shows the participant a screen share of the other computer, but also allows them to click and type within. When they click or type, the software sends the click and typing data to the host computer. The host computer receives and applies the clicks and typing to the specific pixels clicked or typed on. If the host computer is sharing one application, the software theoretically, only applies the mouse clicks and keyboard inputs to that app.
The tech behind remote control in video conferencing software, like Zoom, was borrowed from remote desktop software. For decades Windows and Mac have included remote desktop and remote assistance software. By default, this is turned off. Allowing someone to remotely control your computer comes with big security risks. This is why remote desktop or assistance are typically only used by IT people to help people with a problem remotely, or to connect to your own computer remotely.
The Internet is not a secure playground. Hackers and malware number in the millions and work around the clock to destroy your data and expose your client's private information. Companies that collect client's sensitive medical or educational information are at an even greater risk. Every month in the U.S. there is at least one HIPAA violation which garners a fine in the tens of millions. That does not mean you should run screaming, only that you need to remember to lock your doors.
All computers, phones, and routers come with firewall software pre-configured to try to keep the bad guys (and girls) out. They also come with security features to keep us from accidentally giving unauthorized people access. For example, Windows and Mac require you to explicitly authorize an app to use your camera or mic. Despite all these safeguards, software companies continue to add features which can be exploited.
Allowing someone on a video conference to remote control your computer is a big security risk. If you are thinking: "My clients would never do anything malicious when remotely controlling what I've shared", you are probably right, but that is not the source of most of the risks. Risks, more often, comes from potential malware (malicious software) your client might have accidentally installed on their device.
As explained earlier, remote control allows a remote user to send keyboard (keystrokes) and mouse inputs to another computer. When you give control, obviously your clients are not literally using your mouse or keyboard. Thus, your computer must decide what to do with click and typing data that comes over the Internet from the remote person. This is where the risk comes in.
As the diagram below show, the security vulnerability lies in the decision your computer and video conferencing software must make when it applies your client's remote mouse and keyboard activity.
The Zoom vulnerability, which was exposed late last year, allowed computers on a video conference to gain control of other computers in the session without remote-control permission even being granted. Click here to watch a video showing this vulnerability.
Once a remote computer can send commands to your computer as if it was you, you are in big trouble. Sophisticated attacks do not come from individuals "hacking" personal computer one-by-one. Instead, they engineer malware to spread from one computer to the next like a virus. Once malware is on one computer it can easily spread to other devices on your home or office network.
Not all risks are created equal. Investing in a mutual fund with a 30 year track record is a lot less risky than your cousins' edible yo-yo business. You could go years using remote-control in your video conferences and not have a problem, but there is a reason we wear our seat belts every time we ride in a car.
Remote control, in video conference software, was developed in order for a participant to be able to control a presentation on another computer. If you only use remote control for this purpose once-in-a-while, the risk is lower than every day giving your clients control of your computer, even one app. Again, the risk isn't from your client but from malware that can exploit potential security vulnerabilities in the remote-control feature. If you have access to people's personal health information on your computer, the stakes are even greater.
People that wear seat belts do not get thrown out of their car when they are in an accident. I have only been in two accidents my entire life, but I still wear my seat belt every time I get in a car.
Replicating what you do in person as a therapist or tutor, Online is not easy. I'm amazed how well therapists keep kids and adults engaged when treating Online. From the beginning of Blink Session, our goal was to give you the tools to create interactive experiences with your clients without having to use remote control, or even screen share (though we have screen share).
Still, platforms like Blink Session have not been around that long and most online therapists are used to having to rely completely on screen share and remote control. Additionally, it can be hard to adjust to the fact that the tech you use in person, like iPad apps, can never really be utilized the same way over a video conference.
Despite the challenges of working on therapy or academic goals over the Internet, we must not put our guard down. Would you leave the cash register unlocked at your office or filing cabinet with health records in the waiting room? These are crazy examples, but when it comes to technology, the risks are not as obvious. Usually they are unseeable.
Lastly, though you will find remote control ability in video conferencing software designed for business meetings, it is notoriously absent from 99% of software designed for medical use. When it is present, the purpose is for providers to remote into devices at a medical facility. The risk of allowing clients remote access to your computer is simply too great.