It’s accessible, easy to use - and the free version gives you 40-minute group meetings with up to 100 people. So what’s not to like about Zoom?
Between December and March, Zoom’s daily meeting participants surged from 10 million to 200 million. The lockdown was driving video conferencing adoption at unprecedented levels - and it just so happened that Zoom was becoming the go-to app for grannies, CEOs and pretty much everyone else.
But alongside this, a steady flow of security and privacy issues started to emerge. Here’s a closer look at those problems, at how they’ve been addressed - and at what all of this teaches us about app security.
What is Zoom?
Zoom is one of the many cloud-based video conferencing tools available out there. The free version gives you an unlimited number of meetings, including multi-party sessions of up to 40 minutes in length. There are also three premium pricing tiers (Pro, Business and Enterprise) that open up various corporate-focused benefits, such as the ability to record meetings, cloud storage and webinar hosting, company branding and various levels of customer support.Zoom can be accessed via Android and iOS mobile app, a desktop app for Windows and macOS. Browser extensions are also available for Chrome and Firefox.
Zoom security issues
- Zoombombing is where an unauthorized person joins a Zoom meeting or chat session with malicious or mischievous intent.
- There have been multiple instances of intruders hijacking calls, posting hate speech and pornography, to the extent that the FBI issued a warning to users to exercise ‘due diligence and caution’.
- Corporate meetings, academic institutions and informal social groups have all been targeted. In the UK, there were reports of a Zoom chat for fans of BBC Radio 4 soap, The Archers being bombarded with “pornography and Nazi swastikas”.
- Zoombombers had been sharing Zoom meeting IDs, coordinating hacking attacks via online forums and recording their Zoombombing attacks on TikTok and YouTube.
- Many users were failing to password-protect their meetings. Meanwhile hackers had come up with zWarDial, an automated tool for finding open Zoom rooms and meetings. In response, Zoom introduced password protection and ‘virtual waiting rooms’ by default: in other words, the type of common-sense security features that should have been in place in any event.
- In its marketing material, Zoom claimed that its conferencing service is “end-to-end encrypted”. In its most commonly understood sense, end-to-end encryption usually means that communications cannot be intercepted and decrypted at any point during transmission.
- On the back of Zoom’s seemingly robust encryption credentials, the app had attracted a wide range of security-conscious users. Examples included healthcare providers, government departments, and even the British Cabinet.
- Research by Citizen Lab showed that Zoom meetings were not actually end-to-end encrypted in the commonly understood sense. Rather, Zoom’s transport protocol encrypts and decrypts audio and video using a rather dated encryption method, AES-128. When it comes to video, this preserves patterns in the input, meaning that intercepted images can remain visible if intercepted.
- In test calls between two participants in North America, Citizen Lab also observed meeting keys being sent via servers in Beijing. The combination of high profile users, limitations in cryptography and China-based servers was flagged as a potential recipe for nation state attack attempts.
Zoom: tips for safe usage
- Opt for private meetings and make use of the waiting room feature to keep control of who is joining the meeting.
- Instead of using publicly available social media posts, send your meeting links to specific people via direct messaging.
- Consider disabling screen sharing for non-hosts (this can be done by navigating to Share Screen > Advanced Sharing Options from the host controls at the bottom of the screen).
- Once all intended participants are in and the meeting has started, lock the meeting to outsiders.
Choice and usage of video conferencing software: cybersecurity tips
For business uses, opt for business-grade software. This should typically have a wider range of settings to help you stay in control and lock down meetings where required.
Read the security small print. Don’t just go by vague claims made in the marketing material. For instance, if it is stated that the platform features end-to-end encryption, does that apply to actual meetings - or does it just relate to the chat function?
Keep on top of updates and patches. This is essential for ensuring any backdoor vulnerabilities are closed off.
Start using roll calls to monitor access. The frequent failure to exercise any real access control in video conferences is striking, even when sensitive material is under discussion. For instance, one survey found that 50% of conference callers admitted hosting remote meetings when they didn’t really know who was in the room.
Update your access codes. Sometimes these are used and are shared within an organization multiple times and over a long timeframe. As a result, it becomes a lot harder to control whose hands they end up in, making it harder to control access.Want to know more about identifying security vulnerabilities in the software you are using? Explore our courses and start growing your skills today.
Update your skillset
Time on your hands? This could be the ideal opportunity to grow your cybersecurity skills and advance your career. Explore our full range of courses here.