IT Security

Zoom’s security credentials have been under a lot of scrutiny recently as multiple stories have come out suggesting the software is not safe to use. With Zoom being used increasingly during the COVID-19 pandemic, it is imperative that users are informed of its alleged security vulnerabilities.

Introduction/what is Zoom

Zoom is a video communications tool that was first introduced in 2011. It has since cemented its place as one of the most popular video conferencing solutions around. It’s so popular that even the word ‘Zoom’ is increasingly being used as a verb to describe the act of video-calling someone (like ‘Google’ or ‘Uber’).

As businesses have scrambled to find a video conferencing solution that suits their needs, Zoom (and Microsoft Teams) has become the go-to option. However, as it has become more and more popular, it has inadvertently got into the headlines for all the wrong reasons as experts have suggested it is not as secure as it should be.                

Zoom Vulnerabilities

Below are just some examples of the security concerns that have been highlighted recently:

  • Encryption – It has been reported that despite what Zoom’s website implies, Zoom meetings do not provide end to end encryption. This means that calls could in theory be intercepted and then decrypted to obtain potentially sensitive information. However, this does not mean that calls are not secure at all. It still implements various security protocols just like any piece of telecommunications software, but as it’s not end to end encryption it means that in theory a third party could intercept the message and decrypt the data – but would still have to get round the usual security protocols applied.
  • Data leak to Facebook – It was discovered that Zoom’s iOS app sends your data to Facebook even if you don’t have a Facebook account. When logging into the Zoom app, it used to give you the option to ‘Login with Facebook’ along with other login methods. Having the Facebook option meant Zoom, unknowingly, was sending very basic information (such as model of phone the user has – not usernames and passwords etc) to Facebook. Once this was made public, Zoom removed this feature almost immediately. But it was still a very poor oversight from a security point of view (which the Zoom CEO has apologised for).
  • Zoombombing – ‘Zoombombing’ is the ability for uninvited strangers to join a meeting by simply guessing the multi-digit room code. This is pretty concerning as a random person could join a call that may be classified, disrupt it or act inappropriately. The host of the meeting would then have to kick them out.
  • Credential phishing via UNC - An expert found a flaw in the Zoom chat feature that allowed a potential hacker to steal login details of the user. This is done by exploiting Zoom's chat feature that converts URLs into hyperlinks, but can also be done for networking UNC paths (for example, \\localhost\) turning them into a clickable link that if accessed, could reveal login information.

What should you do as a business?

To prevent your company from falling victim to such security issues, you should do the following:

  • Password protect meetings – In order to lock down video calls/meetings, you should make them password protected. In Zoom, this can be done by going to ‘User settings’ and enabling ‘Require a password for instant meetings’.
  • Generate new ID – You will be given a personal ID when you install Zoom and this will be used by default. Instead, you should generate a new ID for every meeting, which you can do in the options panel. That way, if someone gets hold of your personal ID, future meetings are less likely to be disrupted by Zoombombers.
  • Don’t announce meetings – When sharing join details of a Zoom meeting, do not share this on social media or somewhere public where anyone can see this. Ensure it is shared directly to the people you want to attend using methods like Email or Whatsapp.
  • Limit features – If you are a host of a meeting, you can switch certain features off or limit who can use them in settings. For example, you can disable screen sharing so that only attendees that are trusted can share what they have on their screen.
  • Other recommended settings – To be prudent, there are a number of other useful settings in Zoom that should be considered:
    • Disable Join before host – So organisers can prevent attendees from starting meetings themselves.
    • Lock a meeting – This setting stops anyone from accessing a meeting that has already begun.
    • ‘Waiting room’ – This means attendees can only join a meeting once accepted by the host – so it is almost a ‘virtual lobby’.
    • File transfers/private chat – These features can also be disabled to avoid potential issues

Conclusion

So, this begs the question: is Zoom unsafe to use? No is the short answer. Whilst a number of vulnerabilities have been exposed, a lot of them have since been fixed, and unless you are disclosing highly confidential information over Zoom, you are fine. Zoom has rather quickly and forcibly been put under the microscope as a result of COVID-19. This has caught them off guard a little and therefore they need to improve their overall security as quickly as possible. Whilst they have no doubt been slack in certain instances, this should not be confused with them being a shady and untrustworthy company that have been trying to deceive everyone – they have made some errors in judgement and are now constantly trying to improve their security.

If you have any other questions regarding the above, please get in touch.