27 April 2020
This is the fourth post in a series of blogs examining the security of various Video Conferencing products for business. In this post we examine Google Meet and Bluejeans. Posts still to come over the next few days will dive into Skype for Business, Tixeo, Jitsi Meet & BigBlueButton.
Known as Meet by Google Hangouts until April 09, 2020, is a videoconferencing platform for businesses developed by Google and established in March 2017.
The solution is integrated into the Google Suite ecosystem (Gmail, Docs, Drive, etc.).
The G Suite license requires a fee for the service used. The license level determines the maximum number of participants allowed in a video conference. However as of April 29 Google has made Meet available for individuals, as long as they have Google accounts
Meet allows one to organize meetings remotely (through audio and video calls), offers document sharing and an instant mailbox system. The service is accessible online through most Internet browsers or via mobile applications available on Android or IOS. There is no difference between the functions offered by the client software and those offered in the web version.
The Meet application is available on most market-leading platforms: Windows, Mac OS, Chrome, GNU / Linux as well as in application format on IOS and Android platforms. Meet also allows participants to join a scheduled video meeting by entering a single code. The service is only available in SaaS mode via the G Suite.
The tool is integrated into the Google Suite, making the use of other services easier. We found the product interface intuitive and easy to use, and it’s possible to join meetings from any device and via mobile phones.
We found the interface with other products such as the Microsoft Office suite to be less than smooth, probably because this solution is primarily set up for Google tools users (Gmail, Chrome, Google Calendar, etc.). The system also appears to suffer from restrictions with browsers other than Google Chrome.
|Uses an appropriate encryption algorithm||Unclear||This is unclear to us. Meet uses Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP) and SRTP uses Advanced Encryption Standard (AES) as the default cipher, but this is optional in the implementation. |
|Uses a strong encryption key||Unclear||This is unclear to us: Unable to find an information up to date for Gsuite tools like Meet. |
|Data is encrypted in transit under normal use||Fully||See https://support.google.com/a/answer/7582940?hl=en|
|Data stays encrypted in transit on provider servers||No||To the best of our knowledge. According to Google “All data in Meet is encrypted in transit by default between the client and Google“. See support.google.com/a/answer/7582940|
|Voice, Video and Text are all encrypted||Fully||See https://support.google.com/a/answer/7582940?hl=en|
|File transfers & session recordings are encrypted||Fully||See https://support.google.com/a/answer/7582940?hl=en|
|Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)||No||To the best of our knowledge G-suite keys are managed by Google. In Google Cloud, keys can be managed by users. Google offers a Key Management Solution (KMS) to enhance creation, management and destruction of keys, but it’s not clear to us that this can be applied to Meet, or that it prevents Google from accessing those keys if required. |
|Encryption implementation has withstood scrutiny over time||Fully|
|Administrators can define password security policies||Partially||Password policies appear to be set at the Google Account level, individual passwords for meetings do not appear to be used.See https://support.google.com/a/answer/139399?hl=en and support.google.com/meet/answer/9303069|
|Supports MFA as default||Fully|
|Can integrate with Active Directory or similar||Fully||See https://support.google.com/a/answer/106368?hl=en|
|Can integrate with SSO solutions via SAML or similar||Fully||See https://support.google.com/a/answer/6087519?hl=en|
|Offers RBAC||Fully||See https://support.google.com/a/answer/1219251?hl=en|
|Allows passwords to be set for meetings||No||See support.google.com/meet/thread/35052991 and support.google.com/meet/thread/35052991|
|Allows meeting password security policies to be set||No||Passwords are not available for meetings. Attendees without a Google Account have to ask to join a meeting, whereas Google Account users who are invited can join directly |
|Headquarters address||USA||Mountain View, CA, USA|
|The vendor cannot technically access any data without the client’s consent||No||Data can be accessed but should only be done so at the customer’s request for support or other purposes. Google provides Access Transparency logs for G Suite Enterprise and G Suite Enterprise for Education to allow them to review logs of actions taken by Google staff. |
|A full on-prem version is available for users who don’t want to trust the vendor||No||There isn’t a full on-prem version of Google Meet, this solution is included in Google Suite, hosted on Google Cloud Solutions|
|For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in||Partially||The feature is available but appears to be restricted to choosing globally distributed, in the US or across Europe. The G Suite data regions feature can be used to store Meet recordings in Drive only in specific regions (for example, the US or Europe). Regional storage limitations do not apply to video transcodes, processing, indexing, etc.See https://gsuite.google.com/products/admin/data-regions and https://support.google.com/a/answer/7582940?hl=en|
|Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)||Fully|| |
|Complies with appropriate privacy standards (e.g. FERPA or GDPR)||Fully|| |
|Provides a transparency report that details information related to requests for data, records, or content.||Fully||See https://support.google.com/meet/answer/9852160?hl=en |
|Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.||Partially|| |
|Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.||No||Unable to find anything specific to suggest this was possible, may be possible from a higher level in G Suite settings.|
|Offers clear central control over all security settings||Partially||Not specifically for Google Meet, appears to be done at the G Suite Google Account level using Cloud Identity and Access Management (IAM).|
|Allows for monitoring and maintenance of endpoint software versions||No||Not applicable as Google Meet runs entirely in the browser for desktop clients. Apps are available for Android and iOS and these would be updated automatically via their app stores.|
|Provides compliance features like eDiscovery & Legal Hold||Fully||See https://support.google.com/a/answer/2462365?hl=en|
|Auditing and Reporting||Fully||See https://support.google.com/a/answer/9186729?hl=en|
|Additional content security controls like DLP, watermarking, etc.||Partially|| |
|Percentage of NVD 2019||0.00||A few vulnerabilities have been reported in their previous ‘Hangouts’ product.|
|Percentage of NVD 2020||0.00|
|Vendor discloses which vulnerabilities have been addressed||Unknown||Couldn’t find reports of any vulnerabilities although it’s not clear if this is due to there being none or that they haven’t been disclosed.|
|Vendor runs a bug bounty||Fully||Google have their own Google Vulnerability Reward Program (VRP). |
The voice, video and text traffic generated by Meet is encrypted between the endpoint and Google’s servers, except of course for telephone dial-ins, which would be the case for all providers that offer this feature.
Meet implements Datagram Transport Layer Security (DTLS) and Secure Real-time Transport Protocol (SRTP). DTLS is based on the Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. SRTP provides encryption, message authentication and integrity, and replay attack protection for the RTP protocol, which is used to stream audio and video.
These are both accepted standards for this kind of requirement. Meet recordings stored in Google Drive are encrypted at rest by default.
It should be noted, however, that there is no attempt to provide E2EE encryption and data could therefore traverse Google’s infrastructure in clear text.
Authentication is done via a Google account which is also used to access other G Suite applications, providing support for single sign-on (SSO). Google’s cloud services offer various forms of strong authentication and users also benefit from several other security controls that Google incorporates in all its services, including Suspicious Login Monitoring, Context Aware Access and the Advanced Protection Program.
Anonymous users can be allowed to join meetings if explicitly invited or allowed by the meeting organizer.
Google advertises several security and privacy certification and accreditations for their cloud suite, including ISO27001, PCI DSS, HIPAA, FIPS, NHS Digital Commercial Third-Party Information Governance Requirements, Privacy Shield, GDPR and C5. In 2016, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or BSI) created the Cloud Computing Compliance Controls Catalog (C5). C5 is an audited standard that establishes a mandatory minimum baseline for cloud security and the adoption of public cloud solutions by German government agencies and organizations that work with government. C5 is also being increasingly adopted by the private sector.
However, Google as a USA located company and subjected to the regulations of the country might be compelled to intercept communications. Google has in the past faced criticism regarding abuses of privacy with its Business to Client (B2C) solutions, like Gmail and Search, Google has been accused of retrieving users’ personal information and preferences to do targeted marketing. We don’t feel this could be said about their Business to Business offers, however.
G Suite Business, Enterprise, and Enterprise for Education customers can designate the region in which primary data for select G Suite apps is stored when at rest—globally, in the US, or in Europe – for data sovereignty. Customers can also use data regions functionality to store select/covered data of Google Meet recordings in specific regions (i.e. US or Europe). We could not, however, find evidence to suggest that regions would be enforced for voice, video or text traffic.
Google’s identity and access management (IAM) service lets administrators manage all user credentials and cloud applications access in one place.
Audit logging for Meet is available within the Admin console for GSuite Enterprise, and Google offers Access Transparency, a feature which logs any Google admin access to Meet recordings stored in Drive. Access Transparency is also offered as part of GSuite Enterprise.
G Suite Enterprise includes Data Loss Prevention (DLP) for Drive.
Meet users can enroll in Google’s Advanced Protection Program (APP), which provides protections against phishing and account hijacking.
There are no vulnerabilities recorded for this technology in the NIST National Vulnerability Database. Google is by no means immune to security bugs and exploits, and a few vulnerabilities have been reported in their previous ‘Hangouts’ product. However, although there is little data with which to assess this product’s security heritage, it would be fair to argue that Google has robust processes and a strong reputation in this regard.
BlueJeans provides an interoperable cloud-based video meetings service that connects many users across different devices, platforms and conference programs. Every BlueJeans member has a private “meeting room” in the BlueJeans cloud to schedule and host conference meetings. It operates with business conferencing solutions such as Cisco, Microsoft Lync, StarLeaf, Lifesize, and Polycom, as well as consumer services like Google.
Verizon communications announced on April 16th, 2020, that it had entered into an agreement to acquire BlueJeans to expand its Business portfolio offerings, particularly its unified communications offerings. The transaction is expected to close in the second quarter of 2020.
BlueJeans provides end users with interoperability to ensure frictionless video conferencing, regardless of desktop operating system (e.g., Windows, macOS, Linux), browser (e.g., Chrome, Firefox, Safari, Edge, Opera), mobile device (e.g., iOS, Android), or virtual desktop infrastructure (e.g., Citrix). Hardware interoperability is extensive and includes Cisco, Poly, Lifesize, Dolby and more, essentially if it is based on SIP or H.323 standards, it is interoperable with BlueJeans.
The software includes several stand-out features that will appeal to business owners and professionals. For example, meeting recordings can be broken down into chapters, with segment highlights, task assignment and smart follow-up.
On top of the fact that meetings have no time limit, hosts can create up to 20 breakout sessions and distribute participants as needed, which is great for collaborating on subtasks. You can easily share your screen, annotate with whiteboard functions, and even allow remote desktop access to an assignee. However, there is no option to blur out backgrounds for greater privacy and distraction-free meetings.
Administrators have advanced user management features and can utilise a centralised admin console to add and manage users, set access permissions and passwords as well as enable or disable features on a company-wide or group basis.
BlueJeans integrates with a number of other applications including Slack, Microsoft Teams, Microsoft Outlook, Google Calendar & Okta amongst others.
|Uses an appropriate encryption algorithm||Fully||BlueJeans supports standards-based encryption (AES-128) that is available on most video endpoints today.https://www.bluejeans.com/sites/default/files/pdf/Blue-Jeans-Network-Security.pdf|
|Uses a strong encryption key||Fully||AES-128 for calls and AES-256 for data at rest.|
|Data is encrypted in transit under normal use||Fully||BlueJeans connections using BlueJeans client applications or web browsers for video are encrypted by default in BlueJeans meetings. |
|Data stays encrypted in transit on provider servers||Unclear||We could not clarify this from available documentation.|
|Voice, Video and Text are all encrypted||Fully||“Enforce Encryption” can be set when scheduling a BlueJeans meeting to ensure only encryption capable devices can join the meeting.|
|File transfers & session recordings are encrypted||Fully||Recordings are stored in secure containers in the cloud. These videos are encrypted at rest (AES-256bit) and are only accessible to the recording originator. |
|Vendor technically can’t decrypt the data at any point, even under regulatory pressure (full E2EE)||No||Not to our knowledge|
|Encryption implementation has withstood scrutiny over time||Fully|
|Administrators can define password security policies||Fully||Group Administrators who have set their Group’s Authentication Type to use a BlueJeans Username & Password can customize the Password Requirements for all their new and existing users. |
|Supports MFA as default||No||No native MFA available, needs third party IdP to provide it.|
|Can integrate with Active Directory or similar||Fully||See https://support.bluejeans.com/s/article/BlueJeans-SSO-Support-and-FAQ|
|Can integrate with SSO solutions via SAML or similar||Fully||See https://support.bluejeans.com/s/article/BlueJeans-SSO-Support-and-FAQ|
|Offers RBAC||Fully||See https://support.bluejeans.com/s/article/Managing-Features-for-Users|
|Allows passwords to be set for meetings||Partially||No passwords but a Participant Passcode can be set.|
|Allows meeting password security policies to be set||No|
|Headquarters address||USA||San Jose, California,U.S.A|
|The vendor cannot technically access any data without the client’s consent||No||It would appear they can access data but only with the consent of customers. |
|A full on-prem version is available for users who don’t want to trust the vendor||No||They do offer Blue Jeans Relay which allows integration of existing calendar services and conferencing equipment, but connection to Blue Jeans is still required. |
|For SaaS modes of deployment, the client can select which countries or political regions data is stored or processed in||No||Could not find any indication that this was a supported feature.|
|Complies with appropriate security certifications (e.g. ISO27002 or BSI C5)||Partially||No indication of having achieved ISO certification, although the data center hosting providers are ISO 27001 certified, and they claim to follow an ISO 27001 framework. |
|Complies with appropriate privacy standards (e.g. FERPA or GDPR)||Fully||See https://www.bluejeans.com/trust-center/compliance|
|Provides a transparency report that details information related to requests for data, records, or content.||No||Could not find any reference to a transparency report. Their privacy report does state however that they will share information with third parties if necessary to “comply with a legal obligation, regulation, or government request.”|
|Offers other forms of access control to meetings, e.g. waiting rooms, lockout, banning etc.||Fully||See https://support.bluejeans.com/s/article/Meeting-Security-Features|
|Allows granular control over in-meeting actions like screen sharing, file transfer, remote control.||Fully||See https://support.bluejeans.com/s/article/Administrator-s-Training-Guide#manage_features |
|Offers clear central control over all security settings||Fully||See https://support.bluejeans.com/s/article/Administrator-s-Training-Guide#manage_features |
|Allows for monitoring and maintenance of endpoint software versions||No||Relies on third parties for deployment. |
|Provides compliance features like eDiscovery & Legal Hold||No||No reference could be found to either eDiscovery or Legal Hold.|
|Auditing and Reporting||Partially||Couldn’t find reference to audit logging, reporting on metric and statistics is available in the BlueJeans Command Center. |
|Additional content security controls like DLP, watermarking, etc.||Partially||Couldn’t find any reference to DLP, however watermarking is available. |
|Percentage of NVD 2019||0.00|
|Percentage of NVD 2020||0.00|
|Vendor discloses which vulnerabilities have been addressed||No||There is a bug bounty operated via BugCrowd however disclosure of vulnerabilities is not allowed. BlueJeans own Security Advisories webpage is empty.|
|Vendor runs a bug bounty||Fully||Yes via BugCrowd but no disclosure of vulnerabilities is allowed.|
Like most video conferencing solutions, BlueJeans does not support end-to-end encryption. However, calls can still be AES-128 encrypted and you can select, “Enforce Encryption” when scheduling a BlueJeans meeting to ensure only encryption capable devices can join the meeting.
Meeting recordings are stored in secure containers in the cloud. These videos are encrypted at rest (AES-256bit) and are only accessible to the recording originator. They may be shared by the recording originator using email addresses through the web user interface. These can be viewed as an encrypted (AES-128bit) playback stream using a web browser or downloaded to an on-premise media server or storage device.
According to its website, BlueJeans uses the secure and widely adopted industry standard Security Assertion Markup Language (SAML), for Single Sign On method. This also means BlueJeans implementation of SSO integrates easily with any large Identity Provider (IdP) that supports SAML. Officially supported Identity Providers include ADFS 2.0 & 3.0, Citrix Cloud, Okta, OneLogin, Centrify, Azure AD, Shibboleth, RSA SecurID, Ping Identity & Bitium.
We could not see any reference to native multi-factor authentication support in the BlueJeans application, however the supported SSO platforms should be capable of providing this.
BlueJeans services are hosted in six tier-4, co-location data centres around the world. Their primary production data centre is located at Equinix Inc. in San Jose, California, with three other data centres at Equinix facilities in Ashburn, Virginia; Amsterdam and Singapore. There is also an additional non-Equinix location in Sydney, Australia. AWS and Azure are also used for additional capacity and storage services around the globe.
BlueJeans complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. BlueJeans adheres to the Privacy Shield Principles.
BlueJeans has what appears to be a simple to use admin interface, although the options do appear to be limited. Default options can be configured, such as how recordings are handled, shared and retained. Password options can also be configured to require a minimum length and whether specific characters need to be present. Features such as Remote Desktop Sharing, Recording and the ability to host large meetings, can all be enabled or disabled centrally as defaults. The same features can also be turned on or off at a user level, along with what permissions a user has over the BlueJeans solution itself. Furthermore, there is the BlueJeans Command Center which is a service intelligence tool that offers real-time and historical data to IT organizations, including the ability to visualize, measure and manage their BlueJeans deployment.
The NIST National Vulnerability Database appears to have no entries for BlueJeans at this time. The BlueJeans Security Advisories page on its website also has nothing listed. It does have a bug bounty program through Bugcrowd, however it does not allow any disclosure. There are several people listed on the program’s hall of fame, suggesting that vulnerabilities have been found but not been made public.
1: Video killed the conferencing star
2: In-depth product analysis – Zoom & Microsoft Teams
3: Let’s examine Cisco Webex – A visionary player
4: Google Meet and BlueJeans – Re-engineered platforms for secure meetings
5: Tixeo and BigBlueButton
6: A closer look at Skype for business and Jitsi Meet
 support.google.com/a/answer/7582940 support.google.com/googlecloud/answer/6056694
 “AES-128 provides more than enough security margin for the forseeable future. But if you’re already using AES-256, there’s no reason to change” – Bruce Schneier, July 2019 (https://www.schneier.com/blog/archives/2009/07/another_new_aes.html).
Head of Security Research
Charl van der Walt
Technical thought leader, spokesman and figurehead for Orange Cyberdefense world-wide, leading and managing the OCD Security Research Center – a specialist security research unit. We identify, track, analyze, communicate and act upon significant developments in the security landscape.
Senior Consultant Cybersecurity
Graduated from a French Business School, Quentin is now senior consultant at Orange Cyberdefense operating from Casablanca (Morocco). With nearly 10 years of experience, Quentin has specialised in risk assessment , disaster recovery planning, as well as cybersecurity awareness.
As a specialist in regulatory compliance, Jérôme Mauvais is a security consultant for Orange Cyberdefense. Highly invested in the protection of personal data, Jérôme has also been remarked all along his career for his great capacities of knowledge transmission.
Lead Security Researcher (MSIS Labs)
Carl has over 20 years’ experience working within IT, covering the whole breadth of the IT infrastructure, with a primary focus and interest on the security related solutions. This has been followed by a decade working in MSSP’s, the latest of which being at SecureData for over 7 years. Initially as an Escalation Engineer followed by moving into Professional Services then to the Managed Threat Detection team as a Senior Security Analyst before moving into the Labs team as a Lead Security Researcher.