Search

Google Meet and BlueJeans – Re-engineered platforms for secure meetings

Google Meet and BlueJeans – Re-engineered platforms for secure meetings

This is the fourth post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Google Meet and Bluejeans.  Posts still to come over the next few days will dive into Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.

To read about our approach to this analysis, understand the target security model we applied, or see a side-by-side comparison of the products reviewed please visit our first post from this series.

 

Google Meet

Known as Meet by Google Hangouts until April 09, 2020, is a videoconferencing platform for businesses developed by Google and established in March 2017.

The solution is integrated into the Google Suite ecosystem (Gmail, Docs, Drive, etc.).

The G Suite license requires a fee for the service used. The license level determines the maximum number of participants allowed in a video conference. However as of April 29 Google has made Meet available for individuals, as long as they have Google accounts

Features

Meet allows one to organize meetings remotely (through audio and video calls), offers document sharing and an instant mailbox system. The service is accessible online through most Internet browsers or via mobile applications available on Android or IOS. There is no difference between the functions offered by the client software and those offered in the web version.

The Meet application is available on most market-leading platforms: Windows, Mac OS, Chrome, GNU / Linux as well as in application format on IOS and Android platforms. Meet also allows participants to join a scheduled video meeting by entering a single code. The service is only available in SaaS mode via the G Suite.

The tool is integrated into the Google Suite, making the use of other services easier. We found the product interface intuitive and easy to use, and it’s possible to join meetings from any device and via mobile phones.

We found the interface with other products such as the Microsoft Office suite to be less than smooth, probably because this solution is primarily set up for Google tools users (Gmail, Chrome, Google Calendar, etc.). The system also appears to suffer from restrictions with browsers other than Google Chrome.

 

Results table

 

Encryption    
Uses an appropriate encryption algorithm Unclear This is unclear to us. Meet uses Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP) and SRTP uses Advanced Encryption Standard (AES) as the default cipher, but this is optional in the implementation.

 

See https://support.google.com/a/answer/7582940?hl=en

Uses a strong encryption key Unclear This is unclear to us: Unable to find an information up to date for Gsuite tools like Meet.

 

See https://support.google.com/googlecloud/answer/6056693?hl=en

Data is encrypted in transit under normal use Fully See https://support.google.com/a/answer/7582940?hl=en
Data stays encrypted in transit on provider servers No To the best of our knowledge. According to Google “All data in Meet is encrypted in transit by default between the client and Google“. See support.google.com/a/answer/7582940
Voice, Video and Text are all encrypted Fully See https://support.google.com/a/answer/7582940?hl=en
File transfers & session recordings are encrypted Fully See https://support.google.com/a/answer/7582940?hl=en
Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) No To the best of our knowledge G-suite keys are managed by Google. In Google Cloud, keys can be managed by users. Google offers a Key Management Solution (KMS) to enhance creation, management and destruction of keys, but it’s not clear to us that this can be applied to Meet, or that it prevents Google from accessing those keys if required.

 

See https://cloud.google.com/blog/products/gcp/cloud-kms-ga-new-partners-expand-encryption-options

Encryption implementation has withstood scrutiny over time Fully  
Authentication    
Administrators can define password security policies Partially Password policies appear to be set at the Google Account level, individual passwords for meetings do not appear to be used.See https://support.google.com/a/answer/139399?hl=en and support.google.com/meet/answer/9303069
Supports MFA as default Fully  
Can integrate with Active Directory or similar Fully See https://support.google.com/a/answer/106368?hl=en
Can integrate with SSO solutions via SAML or similar Fully See https://support.google.com/a/answer/6087519?hl=en
Offers RBAC Fully See https://support.google.com/a/answer/1219251?hl=en
Allows passwords to be set for meetings No See support.google.com/meet/thread/35052991 and support.google.com/meet/thread/35052991
Allows meeting password security policies to be set No Passwords are not available for meetings. Attendees without a Google Account have to ask to join a meeting, whereas Google Account users who are invited can join directly

 

See https://support.google.com/meet/thread/35052991?hl=en&msgid=46012118

Jurisdiction    
Headquarters address USA Mountain View, CA, USA
The vendor cannot technically access any data without the client’s consent No Data can be accessed but should only be done so at the customer’s request for support or other purposes. Google provides Access Transparency logs for G Suite Enterprise and G Suite Enterprise for Education to allow them to review logs of actions taken by Google staff.

 

See https://support.google.com/a/answer/9230474

A full on-prem version is available for users who don’t want to trust the vendor No There isn’t a full on-prem version of Google Meet, this solution is included in Google Suite, hosted on Google Cloud Solutions
For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in Partially The feature is available but appears to be restricted to choosing globally distributed, in the US or across Europe. The G Suite data regions feature can be used to store Meet recordings in Drive only in specific regions (for example, the US or Europe). Regional storage limitations do not apply to video transcodes, processing, indexing, etc.See https://gsuite.google.com/products/admin/data-regions and https://support.google.com/a/answer/7582940?hl=en
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Fully
  • SOC1/2/3
  • ISO 27001
  • ISO 27017
  • ISO27018
  • FedRamp Moderate ATO
  • HIPAA
  • HITRUST
  • BSI 5
  • ENS High

See https://support.google.com/a/answer/7582940?hl=en

https://cloud.google.com/security/compliance

Complies with appropriate privacy standards (e.g. FERPA or GDPR) Fully
  • GDPR
  • Privacy Shield

See https://cloud.google.com/security/gdpr/resource-center/contracts-and-terms

and https://cloud.google.com/security/compliance/privacy-shield

Provides a transparency report that details information related to requests for data, records, or content. Fully See https://support.google.com/meet/answer/9852160?hl=en

 

https://transparencyreport.google.com/user-data/overview

Security Management    
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Partially
  • Attendees without a Google Account have to ask to join a meeting, whereas Google Account users who are invited can join directly.
  • Only meeting creators and calendar owners can mute or remove other participants.
  • Only meeting creators and calendar owners can approve requests to join made by external participants.
  • Meeting participants can’t rejoin nicknamed meetings once the final participant has left.
  • Google Meet uses a 25-character string for meeting IDs and restricts the ability of external participants to join a meeting 15 minutes before the meeting starts.

See https://www.zdnet.com/article/google-heres-how-google-meet-beats-zoombombing-trolls/ and https://sada.com/blog/google-cloud/g-suite/google-meet-vs-zoom-7-reasons-why-google-meet-is-superior/

Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. No Unable to find anything specific to suggest this was possible, may be possible from a higher level in G Suite settings.
Offers clear central control over all security settings Partially Not specifically for Google Meet, appears to be done at the G Suite Google Account level using Cloud Identity and Access Management (IAM).
Allows for monitoring and maintenance of endpoint software versions No Not applicable as Google Meet runs entirely in the browser for desktop clients. Apps are available for Android and iOS and these would be updated automatically via their app stores.
Provides compliance features like eDiscovery & Legal Hold Fully See https://support.google.com/a/answer/2462365?hl=en
Auditing and Reporting Fully See https://support.google.com/a/answer/9186729?hl=en
Additional content security controls like DLP, watermarking, etc. Partially
  • G Suite Enterprise includes Data Loss Prevention (DLP) for Drive.
  • Meet users can enroll in Google’s Advanced Protection Program (APP), which provides protections against phishing and account hijacking.

See https://apps.google.com/meet/pricing/ and https://support.google.com/a/answer/7582940?hl=en

Vulnerability Management    
Percentage of NVD 2019 0.00 A few vulnerabilities have been reported in their previous ‘Hangouts’ product.
Percentage of NVD 2020 0.00  
Vendor discloses which vulnerabilities have been addressed Unknown Couldn’t find reports of any vulnerabilities although it’s not clear if this is due to there being none or that they haven’t been disclosed.
Vendor runs a bug bounty Fully Google have their own Google Vulnerability Reward Program (VRP).

 

See https://www.google.co.uk/about/appsecurity/reward-program/

 

Encryption

The voice, video and text traffic generated by Meet is encrypted between the endpoint and Google’s servers, except of course for telephone dial-ins, which would be the case for all providers that offer this feature.

Meet implements Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). DTLS is based on the Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. SRTP provides encryption, message authentication and integrity, and replay attack protection for the RTP protocol, which is used to stream audio and video[1].

These are both accepted standards for this kind of requirement. Meet recordings stored in Google Drive are encrypted at rest by default.

It should be noted, however, that there is no attempt to provide E2EE encryption and data could therefore traverse Google’s infrastructure in clear text.

Authentication

Authentication is done via a Google account which is also used to access other G Suite applications, providing support for single sign-on (SSO). Google’s cloud services offer various forms of strong authentication and users also benefit from several other security controls that Google incorporates in all its services, including Suspicious Login Monitoring, Context Aware Access and the Advanced Protection Program.

Anonymous users can be allowed to join meetings if explicitly invited or allowed by the meeting organizer.

Jurisdiction and Regulation

Google advertises several security and privacy certification and accreditations for their cloud suite, including ISO27001, PCI DSS, HIPAA, FIPS, NHS Digital Commercial Third-Party Information Governance Requirements, Privacy Shield, GDPR and C5[2]. In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Controls Catalog (C5). C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.

However, Google as a USA located company and subjected to the regulations of the country might be compelled to intercept communications. Google has in the past faced criticism regarding abuses of privacy with its Business to Client (B2C) solutions, like Gmail and Search, Google has been accused of retrieving users’ personal information and preferences to do targeted marketing. We don’t feel this could be said about their Business to Business offers, however.

G Suite Business, Enterprise, and Enterprise for Education customers can designate the region in which primary data for select G Suite apps is stored when at rest—globally, in the US, or in Europe – for data sovereignty[3]. Customers can also use data regions functionality to store select/covered data of Google Meet recordings in specific regions (i.e. US or Europe). We could not, however, find evidence to suggest that regions would be enforced for voice, video or text traffic.

Security Features and Management

Google’s identity and access management (IAM) service lets administrators manage all user credentials and cloud applications access in one place.

Audit logging for Meet is available within the Admin console for GSuite Enterprise, and Google offers Access Transparency[4], a feature which logs any Google admin access to Meet recordings stored in Drive. Access Transparency is also offered as part of GSuite Enterprise.

G Suite Enterprise includes Data Loss Prevention (DLP) for Drive.

Meet users can enroll in Google’s Advanced Protection Program (APP), which provides protections against phishing and account hijacking.

Vulnerability & Exploit History

There are no vulnerabilities recorded for this technology in the NIST National Vulnerability Database. Google is by no means immune to security bugs and exploits, and a few vulnerabilities have been reported in their previous ‘Hangouts’ product. However, although there is little data with which to assess this product’s security heritage, it would be fair to argue that Google has robust processes and a strong reputation in this regard.

 

BlueJeans

BlueJeans provides an interoperable cloud-based video meetings service that connects many users across different devices, platforms and conference programs. Every BlueJeans member has a private “meeting room” in the BlueJeans cloud to schedule and host conference meetings. It operates with business conferencing solutions such as Cisco, Microsoft Lync, StarLeaf, Lifesize, and Polycom, as well as consumer services like Google.

Verizon communications announced on April 16th, 2020, that it had entered into an agreement to acquire BlueJeans to expand its Business portfolio offerings, particularly its unified communications offerings. The transaction is expected to close in the second quarter of 2020.

Features

BlueJeans provides end users with interoperability to ensure frictionless video conferencing, regardless of desktop operating system (e.g., Windows, macOS, Linux), browser (e.g., Chrome, Firefox, Safari, Edge, Opera), mobile device (e.g., iOS, Android), or virtual desktop infrastructure (e.g., Citrix). Hardware interoperability is extensive and includes Cisco, Poly, Lifesize, Dolby and more, essentially if it is based on SIP or H.323 standards, it is interoperable with BlueJeans.

The software includes several stand-out features that will appeal to business owners and professionals. For example, meeting recordings can be broken down into chapters, with segment highlights, task assignment and smart follow-up.

On top of the fact that meetings have no time limit, hosts can create up to 20 breakout sessions and distribute participants as needed, which is great for collaborating on subtasks. You can easily share your screen, annotate with whiteboard functions, and even allow remote desktop access to an assignee. However, there is no option to blur out backgrounds for greater privacy and distraction-free meetings.

Administrators have advanced user management features and can utilise a centralised admin console to add and manage users, set access permissions and passwords as well as enable or disable features on a company-wide or group basis.

BlueJeans integrates with a number of other applications including Slack, Microsoft Teams, Microsoft Outlook, Google Calendar & Okta amongst others.

Results table

 

Encryption    
Uses an appropriate encryption algorithm Fully BlueJeans supports standards-based encryption (AES-128) that is available on most video endpoints today[5].https://www.bluejeans.com/sites/default/files/pdf/Blue-Jeans-Network-Security.pdf
Uses a strong encryption key Fully AES-128 for calls and AES-256 for data at rest.
Data is encrypted in transit under normal use Fully BlueJeans connections using BlueJeans client applications or web browsers for video are encrypted by default in BlueJeans meetings.

 

https://www.bluejeans.com/sites/default/files/pdf/Blue-Jeans-Network-Security.pdf

Data stays encrypted in transit on provider servers Unclear We could not clarify this from available documentation.
Voice, Video and Text are all encrypted Fully “Enforce Encryption” can be set when scheduling a BlueJeans meeting to ensure only encryption capable devices can join the meeting.
File transfers & session recordings are encrypted Fully Recordings are stored in secure containers in the cloud. These videos are encrypted at rest (AES-256bit) and are only accessible to the recording originator.

 

https://www.bluejeans.com/sites/default/files/pdf/Blue-Jeans-Network-Security.pdf

Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE) No Not to our knowledge
Encryption implementation has withstood scrutiny over time Fully  
Authentication    
Administrators can define password security policies Fully Group Administrators who have set their Group’s Authentication Type to use a BlueJeans Username & Password can customize the Password Requirements for all their new and existing users.

 

See https://support.bluejeans.com/s/article/How-to-Change-Password-Requirements

Supports MFA as default No No native MFA available, needs third party IdP to provide it.
Can integrate with Active Directory or similar Fully See https://support.bluejeans.com/s/article/BlueJeans-SSO-Support-and-FAQ
Can integrate with SSO solutions via SAML or similar Fully See https://support.bluejeans.com/s/article/BlueJeans-SSO-Support-and-FAQ
Offers RBAC Fully See https://support.bluejeans.com/s/article/Managing-Features-for-Users
Allows passwords to be set for meetings Partially No passwords but a Participant Passcode can be set.
Allows meeting password security policies to be set No  
Jurisdiction    
Headquarters address USA San Jose, California,U.S.A
The vendor cannot technically access any data without the client’s consent No It would appear they can access data but only with the consent of customers.

 

See https://www.bluejeans.com/sites/default/files/security-and-privacy.pdf

A full on-prem version is available for users who don’t want to trust the vendor No They do offer Blue Jeans Relay which allows integration of existing calendar services and conferencing equipment, but connection to Blue Jeans is still required.

 

See https://support.bluejeans.com/s/article/BlueJeans-Relay

For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in No Could not find any indication that this was a supported feature.
Complies with appropriate security certifications (e.g. ISO27002 or BSI C5) Partially No indication of having achieved ISO certification, although the data center hosting providers are ISO 27001 certified, and they claim to follow an ISO 27001 framework.

 

See https://www.digitalmarketplace.service.gov.uk/g-cloud/services/623403157578821

Complies with appropriate privacy standards (e.g. FERPA or GDPR) Fully See https://www.bluejeans.com/trust-center/compliance
Provides a transparency report that details information related to requests for data, records, or content. No Could not find any reference to a transparency report. Their privacy report does state however that they will share information with third parties if necessary to “comply with a legal obligation, regulation, or government request.”
Security Management    
Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc. Fully See https://support.bluejeans.com/s/article/Meeting-Security-Features
Allows granular control over in-meeting actions like screen sharing, file transfer, remote control. Fully See https://support.bluejeans.com/s/article/Administrator-s-Training-Guide#manage_features

 

https://support.bluejeans.com/s/article/Meeting-Controls-for-Participants-and-Moderators

Offers clear central control over all security settings Fully See https://support.bluejeans.com/s/article/Administrator-s-Training-Guide#manage_features

 

See https://support.bluejeans.com/s/article/BlueJeans-App-2-x-Centralized-Deployment

Allows for monitoring and maintenance of endpoint software versions No Relies on third parties for deployment.

 

See https://support.bluejeans.com/s/article/BlueJeans-App-2-x-Centralized-Deployment

Provides compliance features like eDiscovery & Legal Hold No No reference could be found to either eDiscovery or Legal Hold.
Auditing and Reporting Partially Couldn’t find reference to audit logging, reporting on metric and statistics is available in the BlueJeans Command Center.

 

See https://pws-bluejeans-drive-prod.s3-us-west-2.amazonaws.com/file/command_center_guide_-_nov_2018.pdf

Additional content security controls like DLP, watermarking, etc. Partially Couldn’t find any reference to DLP, however watermarking is available.

 

See https://support.bluejeans.com/s/article/Event-Watermark-Instructions-and-Guidelines

Vulnerability Management    
Percentage of NVD 2019 0.00  
Percentage of NVD 2020 0.00  
Vendor discloses which vulnerabilities have been addressed No There is a bug bounty operated via BugCrowd however disclosure of vulnerabilities is not allowed. BlueJeans own Security Advisories webpage is empty.
Vendor runs a bug bounty Fully Yes via BugCrowd but no disclosure of vulnerabilities is allowed.

 

 

Encryption

Like most video conferencing solutions, BlueJeans does not support end-to-end encryption. However, calls can still be AES-128 encrypted and you can select, “Enforce Encryption” when scheduling a BlueJeans meeting to ensure only encryption capable devices can join the meeting.

Meeting recordings are stored in secure containers in the cloud. These videos are encrypted at rest (AES-256bit) and are only accessible to the recording originator. They may be shared by the recording originator using email addresses through the web user interface. These can be viewed as an encrypted (AES-128bit) playback stream using a web browser or downloaded to an on-premise media server or storage device.

Authentication

According to its website, BlueJeans uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), for Single Sign On method. This also means BlueJeans implementation of SSO integrates easily with any large Identity Provider (IdP) that supports SAML. Officially supported Identity Providers include ADFS 2.0 & 3.0, Citrix Cloud, Okta, OneLogin, Centrify, Azure AD, Shibboleth, RSA SecurID, Ping Identity & Bitium.

We could not see any reference to native multi-factor authentication support in the BlueJeans application, however the supported SSO platforms should be capable of providing this.

Jurisdiction & Regulation

BlueJeans services are hosted in six tier-4, co-location data centres around the world. Their primary production data centre is located at Equinix Inc. in San Jose, California, with three other data centres at Equinix facilities in Ashburn, Virginia; Amsterdam and Singapore. There is also an additional non-Equinix location in Sydney, Australia. AWS and Azure are also used for additional capacity and storage services around the globe.

BlueJeans complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. BlueJeans adheres to the Privacy Shield Principles[6].

On their site BlueJeans state that it has published an updated Privacy Policy to help meet the transparency and notice requirements required by the GDPR. And that it continues to do proper diligence on subcontractors, sub-processors and service providers to ensure that personal data is treated and protected appropriately.

Security Features and Management

BlueJeans has what appears to be a simple to use admin interface, although the options do appear to be limited. Default options can be configured, such as how recordings are handled, shared and retained. Password options can also be configured to require a minimum length and whether specific characters need to be present. Features such as Remote Desktop Sharing, Recording and the ability to host large meetings, can all be enabled or disabled centrally as defaults. The same features can also be turned on or off at a user level, along with what permissions a user has over the BlueJeans solution itself. Furthermore, there is the BlueJeans Command Center which is a service intelligence tool that offers real-time and historical data to IT organizations, including the ability to visualize, measure and manage their BlueJeans deployment.

Vulnerability & Exploit History

The NIST National Vulnerability Database appears to have no entries for BlueJeans at this time. The BlueJeans Security Advisories page on its website also has nothing listed. It does have a bug bounty program through Bugcrowd, however it does not allow any disclosure. There are several people listed on the program’s hall of fame, suggesting that vulnerabilities have been found but not been made public.


1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet


Sources

[1] support.google.com/a/answer/7582940[2] support.google.com/googlecloud/answer/6056694
[3] support.google.com/a/answer/9223653
[4] cloud.google.com/access-transparency/
[5] “AES-128 provides more than enough security margin for the forseeable future. But if you’re already using AES-256, there’s no reason to change” – Bruce Schneier, July 2019 (https://www.schneier.com/blog/archives/2009/07/another_new_aes.html).
[6] www.privacyshield.gov/participant

Authors

Head of Security Research

Charl van der Walt

Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.

Senior Consultant Cybersecurity

Quentin Aguesse

Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.

Consultant Cybersecurity

Jérôme Mauvais

As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.

Lead Security Researcher (MSIS Labs)

Carl Morris

Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline!