Zoom Security Concerns
April 9, 2020 | Matthew McGill and Sammi LaBello
Zoom is one of the largest, and currently most popular, video meeting apps for business and personal use. However, popularity is drawing more attention to what some consider security flaws and privacy concerns in the system.
Zoom’s Rapid Growth and Security Shortfalls
Eric Yuan, Zoom founder and CEO, recently stated the company was not expecting the mass expansion that came after the Coronavirus hit. According to Yuan, at the end of 2019 there were about 20 million users on Zoom. In March of 2020, they reached 200 million.
There have been several features of the Zoom software raising concerns for employees, business owners and government officials. These concerns are causing Yuan to now issue an apology, saying Zoom had:
“…fallen short of the community’s – and our own – privacy and security expectations. For that, I am deeply sorry.”
Now, Yuan says they are working “around the clock” to address these concerns.
What to be aware of in the meantime?
One popular Zoom act right now is called “Zoom-bombing.” While it may be innocent pranking for some, it raises privacy concerns for others. This act of bombing someone’s Zoom is where uninvited attendees break into and disrupt meetings around the world. This is causing some concerns for businesses trying to hold conference calls over confidential information.
Zoom-bombing is made possible because all meetings started by the same host automatically share the same, default meeting ID. Another default feature is that all meetings can be joined without the need for a password. While hosts have the ability to use new meeting IDs and set passwords for each new call, these settings are not enabled by default.
Security researchers have also developed a new, automated tool, which is capable of finding ~100 Zoom meeting IDs within an hour. This tool specifically looks for meeting IDs that are not password protected, meaning that anyone with this 9 or 11-digit code could listen in on sensitive or private calls. While malicious individuals would likely be caught on small group discussions, they could easily listen in on calls involving 20+ people without being detected.
2. Cloud Recording
Another serious concern is something called “cloud recording” for paid subscribers. This feature in Zoom allows a host to record a meeting, along with a text transcript or a text file of any active chats in the meeting. This is then saved to the cloud, where it can be accessed by other users within your company. Even people who never attended that meeting. Zoom does allow users to narrow the audience to only pre-approved IP addresses.
3. Data Sharing
Being able to setup an account using your Facebook account is a common practice for many online systems. However, this is typically laid out in fine print, readily available when you agree to the terms of the service. Zoom is being accused of not being transparent about the fact they may share your data with Facebook, even if you don’t have a Facebook account.
4. Webcam Control
One of the most recent concerns brought up was discovered by a former NSA (National Security Agency) hacker. He discovered bugs that would allow hackers to take control of webcams and microphones on Mac computers using Zoom. He also found a vulnerability that enabled an attacker to gain root access to the host computer. This brings up several concerns for people’s personal privacy and safety. Patches for these vulnerabilities are now available and it’s recommended to patch immediately.
Another issue people have with the app is something called “attention-tracking.” This feature is built into Zoom and allows the host of the Zoom call to see whether attendees are using the app or window in the foreground. That means if students or employees don’t have the video chat front and center, their professor or manager will be able to tell. While this may seem appealing to some meeting hosts, it does cause distrust for many users who feel they are being monitored unnecessarily.
Demands for Change
On Monday, March 30th, New York’s Attorney General Letitia James sent Zoom a letter outlining privacy vulnerability concerns and asking what steps the company had in place to keep users safe.
In the United Kingdom, government officials have been using Zoom for cabinet meetings. That is now being debated after these concerns were brought up.
Reportedly, Elon Musk is banning the use of Zoom for any work being done on Space-X projects. One of Space X’s biggest customers is NASA, who also prevents their employees from using it.
How You Can Stay Safe
There are a few ways to lessen the risk of using Zoom.
- Review your Zoom security settings.
- Configure Zoom to:
Generate new meeting IDs for each call.
Don’t make your meetings or classrooms public – make the meetings private by requiring a password for entry or use the waiting room feature to control who joins.
Use secure, alternate forms of communication to distribute passwords as necessary.
Disable cloud-recording features or restrict that capability to only the meeting host.Restrict screensharing to only the meeting host.
- Minimize Zoom permissions to only what you find necessary.
- Update anti-tracking software on your Zoom account. If you do not want Zoom, or other sites, sending your data to third-parties you can look into anti-tracking software to mitigate this potential.
- Make sure your WIFI network is secure and restricted to authorized users.
- Don’t share a link to your meeting in social media posts or otherwise publicly available mediums – send meeting invites directly to participants only.
- Zoom made a security change back in January to turn on password requirements by default so users should make sure they are using latest versions of Zoom software.
- Ensure your remote work policies/IT policies outline how to configure/use Zoom if your organization allows the use of it.
- Zoom also has a number of other suggestions on a blog post: https://blog.zoom.us/wordpress/2020/03/20/keep-uninvited-guests-out-of-your-zoom-event/
While all of these steps can help, many cybersecurity experts are advising anyone with especially sensitive data or conversations to find a more secure alternative.
Microsoft Teams: This service is included in all Office 365 subscriptions. If you haven’t taken advantage of this new chat and video conferencing software from Microsoft, it may already be included in the licenses you already pay for.
Apple FaceTime: If security is paramount for your discussion, Apple’s FaceTime service offers video conferencing for up to 32 individuals, with all communication featuring end-to-end encryption. Not even Apple has access to the data communicated through its service. However, all employees must have an Apple device (Mac, iPad or iPhone).
Google Duo or Google Hangouts: This service is included with all G-Suite business licenses. While it may not feature end-to-end encryption, it offers (via a transparent user interface) many of the privacy features users are looking for Zoom currently lacks.
Cisco Webex and GoToMeeting: These video chat applications have been around for many years and each offer a different set of robust features similar to those offered by Zoom.