employees now spend more than

five billion minutes per month in virtual meetings.

In response to the rapid shift,

IBM's security teams took a closer look at the increased risk

of conducting sensitive meetings in virtual settings.

Working with its strategic partner, Cisco,

IBM tested the security of videoconferencing tools

used across the company.

What is a ghost you ask?

A ghost is a term that we're using

for a participant in the meeting

that no one else can see.

They don't show up in the participant list,

and they were never invited to the meeting.

So they can hear everyone.

They can speak.

They can often see shared media and screens.

In order to establish a proper connection,

an application and a server exchange messages

during the initial handshake process.

IBM Research found a way to manipulate the information

during the initial handshake process

to stay invisible on the participants list,

thus becoming a ghost.

During our investigation,

what we focused on was the communication pattern

between the application and the server side.

We are basically acting as a man-in-the-middle

between this communication and monitoring web traffic

and what protocol they are using.

So this type of analysis can be used for analyzing

any other kind of communication pattern.

Alternatively, researchers found the attacker

can also exploit common confusion.

If the meeting participants and hosts aren't paying attention

to the number of entry tones

signaling a new participant has joined the call,

the attacker can easily join in stealth mode unnoticed.

Participants may also simply chalk any additional entry tones

up to network issues,

allowing the ghost to continue undisturbed.

In the work from home environment,

we're all a little bit more distracted,

there are lots of things going on,

and you might not notice any of these additional cues.

So the more hectic work environment that we have now

makes us all much more susceptible

to these types of social engineering attacks.

Not only could an attacker join meetings undetected

or disappear while maintaining audio connectivity,

but they can also disregard the host's expel order

and continue in stealth mode.

The ghost could also exploit this when the host

holds several back-to-back meetings in the same meeting room.

They may appear to drop from a call

but can remain connected for subsequent calls

and steal valuable information.

This leads to the third vulnerability.

A ghost can gain access to information on meeting attendees—

including full names, email addresses, IP addresses—

straight from the meeting room lobby,

without ever being admitted to the call.

This valuable information can be used for a wide range of attacks

or even just data collecting on valuable attendees in the meeting.

So what can Webex users do?

So what a Webex user can do

is they can assess the confidentiality of the meeting.

Can they use a personal meeting room,

or should they use a unique ID for each new meeting?

There is a password and the meeting ID.

So if we use a unique meeting ID

and also password protect the meeting,

that also prevents the ghost from entering to the lobby.

While this vulnerability is now patched,

attackers are constantly looking for new ways

to exploit flaws in popular applications.

So there are always going to be new vulnerabilities.

So we try to be very proactive

and find them before the adversaries do.

We continue to look at our own existing applications

and services that we use

and do that in such a way that we can protect IBM and our clients.