Is Zoom safe to use? Staying secure when video conferencing

It’s accessible, easy to use – and the free version gives you 40-minute group meetings with up to 100 people. So what’s not to like about Zoom?

Between December and March, Zoom’s daily meeting participants surged from 10 million to 200 million. The lockdown was driving video conferencing adoption at unprecedented levels – and it just so happened that Zoom was becoming the go-to app for grannies, CEOs and pretty much everyone else.

But alongside this, a steady flow of security and privacy issues started to emerge. Here’s a closer look at those problems, at how they’ve been addressed – and at what all of this teaches us about app security.

Table Of Contents

Add a header to begin generating the table of contents

What is Zoom?

Zoom is one of the many cloud-based video conferencing tools available out there. The free version gives you an unlimited number of meetings, including multi-party sessions of up to 40 minutes in length. There are also three premium pricing tiers (Pro, Business and Enterprise) that open up various corporate-focused benefits, such as the ability to record meetings, cloud storage and webinar hosting, company branding and various levels of customer support.

Zoom can be accessed via Android and iOS mobile app, a desktop app for Windows and macOS. Browser extensions are also available for Chrome and Firefox.

Zoom security issues

Zoombombing

  • Zoombombing is where an unauthorized person joins a Zoom meeting or chat session with malicious or mischievous intent.
  • There have been multiple instances of intruders hijacking calls, posting hate speech and pornography, to the extent that the FBI issued a warning to users to exercise ‘due diligence and caution’.
  • Corporate meetings, academic institutions and informal social groups have all been targeted. In the UK, there were reports of a Zoom chat for fans of BBC Radio 4 soap, The Archers being bombarded with “pornography and Nazi swastikas”.
  • Zoombombers had been sharing Zoom meeting IDs, coordinating hacking attacks via online forums and recording their Zoombombing attacks on TikTok and YouTube.
  • ​Many users were failing to password-protect their meetings. Meanwhile hackers had come up with zWarDial, an automated tool for finding open Zoom rooms and meetings. In response, Zoom introduced password protection and ‘virtual waiting rooms’ by default: in other words, the type of common-sense security features that should have been in place in any event.

Encryption

  • In its marketing material, Zoom claimed that its conferencing service is “end-to-end encrypted”. In its most commonly understood sense, end-to-end encryption usually means that communications cannot be intercepted and decrypted at any point during transmission.
  • On the back of Zoom’s seemingly robust encryption credentials, the app had attracted a wide range of security-conscious users. Examples included healthcare providers, government departments, and even the British Cabinet.
  • Research by Citizen Lab showed that Zoom meetings were not actually end-to-end encrypted in the commonly understood sense. Rather, Zoom’s transport protocol encrypts and decrypts audio and video using a rather dated encryption method, AES-128. When it comes to video, this preserves patterns in the input, meaning that intercepted images can remain visible if intercepted.
  • In test calls between two participants in North America, Citizen Lab also observed meeting keys being sent via servers in Beijing. The combination of high profile users, limitations in cryptography and China-based servers was flagged as a potential recipe for nation state attack attempts.

Installer issues

Motherboard discovered that Zoom’s iOS app was sending analytics information to Facebook (e.g. a user’s time zone and city) even if the user did not have a Facebook account. This fact was not made clear in Zoom’s privacy policy. The company subsequently apologised for this and issued an iOS app update.

Zoom: tips for safe usage

  • Opt for private meetings and make use of the waiting room feature to keep control of who is joining the meeting.
  • Instead of using publicly available social media posts, send your meeting links to specific people via direct messaging.
  • Consider disabling screen sharing for non-hosts (this can be done by navigating to Share Screen > Advanced Sharing Options from the host controls at the bottom of the screen).
  • Once all intended participants are in and the meeting has started, lock the meeting to outsiders.

Choice and usage of video conferencing software: cybersecurity tips

For business uses, opt for business-grade software. This should typically have a wider range of settings to help you stay in control and lock down meetings where required.

Read the security small print. Don’t just go by vague claims made in the marketing material. For instance, if it is stated that the platform features end-to-end encryption, does that apply to actual meetings – or does it just relate to the chat function?

Keep on top of updates and patches. This is essential for ensuring any backdoor vulnerabilities are closed off.

Start using roll calls to monitor access. The frequent failure to exercise any real access control in video conferences is striking, even when sensitive material is under discussion. For instance, one survey found that 50% of conference callers admitted hosting remote meetings when they didn’t really know who was in the room.

Update your access codes. Sometimes these are used and are shared within an organization multiple times and over a long timeframe. As a result, it becomes a lot harder to control whose hands they end up in, making it harder to control access.

Want to know more about identifying security vulnerabilities in the software you are using? Explore our courses and start growing your skills today.

Update your skillset

Time on your hands? This could be the ideal opportunity to grow your cybersecurity skills and advance your career. Explore our full range of courses here.

CATEGORIES
  • Kapil Pareek says:

    I think Authentication should be implemented here. According to me when a person organize a conference he/she should first make a invitation before starting conference. that invitation content user credential like user id, password. only authorize person can join the group. also password are one time use which transform in encrypted form. also can use two factor authentication so no one other can join conformance unauthorized. for securing video recording also maintenance hash function with digital signature.

    • Nathan House says:

      Authentication always helps if you want things to be private. Some people conversations are not provide so in those situations its not an issue.

  • Fred says:

    Thanks Nathan, good summary… gtx Fred

  • Stefano says:

    So would you say that Zoom isn’t fit for business-grade from a security standpoint? Which software would be fit?

    • Nathan House says:

      It depends on how you use it and what for. We use it here for meetings with the added mitigations listed above. But we also don’t have massive 20+ people meetings so we can see if anyone is on that should’nt be. If we were exchange anything very senstive we wouldnt use it. The signal app is good for that.

  • Nathan House says:

    Hackers Are Selling a Critical Zoom Zero-Day Exploit for $500,000

    https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000

  • Robert Armintrout says:

    Nathan, this was a great overview of issues with the Zoom security flaws. Thanks for the clear and concise explanation

  • Juan says:

    Thank you Nathan. Very insightful.

  • justin k j says:

    very good information about security issues related to zoom app

  • VT says:

    Nathan Old Chap. I just advised my clients against using Zoom.
    I subscribed to Your Cybersecurity courses a few years ago, and can’t say enough good things about them. They really set me straight.
    Cheers

  • Simon says:

    Nice sum up. I do think that the damage Zoom as done to itself will exclude it from Enterprise environments though. They can fix problems but they have shown that they were untrustworthy.

    • Nathan House says:

      Zoom have reacted and improved the security. Enterprises don’t have security as top priority in most cases so Zoom will be just fine in my opinion.

  • Jackson says:

    Hi Nathan, excellent blog about Zoom.

    Under the “Installer Issues” section of the blog, you mentioned a group named “Motherboard” discovered that Zoom’s iOS app was sending analytics information to Facebook.

    I was wondering if possible, would you be able to share where that information came from (Web address)?

    Thanks in advance!

  • monroe Johnson says:

    Another informative article

  • Willem says:

    Thanks Nathan, I enjoyed reading this extensive summary.

  • Achilles Resolute says:

    Thanks for your tips. we are going to use Zoom using authentication next time.

  • Alishia says:

    Hi Nathan, I wanted to add one more safety precaution here i.e. to disable all file transfers, annotations, and the autosave feature for chats.

  • >