The video conferencing software Zoom has gotten quite popular. With popularity has come more scrutiny into Zoom’s security. Some security and privacy issues have emerged. Here are some of the issues and some general tips to increase security and privacy.

Zoom-bombing

Zoom-bombing is where an unauthorized person joins a Zoom meeting or chat session with malicious or mischievous intent. The FBI has issued a warning to exercise “due diligence and caution” when using teleconferencing software. No one should consider themselves exempt from being targeted. The BBC reported that an online video chat for fans of the BBC Radio 4 show The Archers had to be abandoned due to “being bombarded with pornography and Nazi swastikas”. zWarDial is an automated tool that finds open Zoom rooms and meetings. If you don’t set a password to protect your room, anyone can join, and they can automate the process. Zoom has introduced password protection and virtual waiting rooms by default in response to these threats. This type of common-sense security features should have been in place from the start.

Encryption

Zoom claims that its conferencing service is “end-to-end encrypted”. End-to-end encryption usually means that communications cannot be intercepted and decrypted at any point during transmission. Research by Citizen Lab showed that Zoom meetings were not actually end-to-end encrypted in the commonly understood sense. When Citizen Lab did their research, Zoom claimed the app uses AES-256 encryption for meetings when possible. During Citizen Lab’s tests, a single AES-128 key was used by all meeting participants to encrypt and decrypt audio and video. When it comes to video, this preserves patterns in the input. This means that intercepted images can remain visible. In test calls between participants in North America, Citizen Lab found that meeting keys were being sent via servers in China. This could lead to authorities in China asking Zoom to disclose the encryption keys.

Privacy

Motherboard discovered that Zoom’s iOS app was sending analytical data to Facebook, even if the user did not have a Facebook account. This was not made clear in Zoom’s privacy policy. Anyone with some privacy sense will understand that Zoom shouldn’t be sending data to Facebook at all, regardless whether or not the user has an account on Facebook. Privacy should be programmed in from the start. Zoom subsequently apologized and issued an update for the iOS app.

Security Tips

Create private meetings with a password and a waiting room. Waiting rooms allow some screening as to who wants to join. If you have a participants list, it will be easier to kick out unwanted guests.

When you share your meeting link on social media or other public forums, it becomes extremely public. Anyone with the link can join your meeting. Consider only sharing via private messages.

You don’t have to send out a public link for interested parties to join. From the Zoom startup screen you can enter a meeting by entering a meeting ID or name. Anyone can enter random numbers to join a meeting, or browse around the web for IDs, or use an automated tool. Always require a password to join so that random people have a harder time of crashing your meeting.

Don’t use your Personal Meeting ID (PMI) to host public events. The PMI is basically a continuous meeting. You don’t want random people entering your virtual space. Generate a random meeting ID for every meeting where possible.

If you really have to share links on social media or other public spaces, share random meeting IDs in the public spaces but always require a password to join. You can share the password in private messages.

Never directly open URL links or pictures shared over the chat. If you have to open them, take as many precautions as possible. This could be checking redirects, blocking scripts, isolation etc.

Set proper authentication at the account level so that only authorized people can log in. Use strong passwords and two-factor authentication.

Update your login credentials. Sometimes credentials are shared within an organization (or outside of it), and this can go on for a long time. This makes it a lot harder to control who has access to the accounts and the system.

Get to know all the settings in the account and inside the conferencing space. Learn to mute, turn off video, set up a waiting room etc.

Consider disabling screen sharing for participants, as well as keeping control over microphones with the host. If anything, it is good to stave off interruptions.

If you have a participants list, or you don’t want more guests showing up, lock the meeting to outsiders once you get going.

Get a participants list. Do you really want to share sensitive information without knowing who is in the room, virtual or in-person? I don’t think so.

Install the latest updates and patches on your system. This includes the operating system and the Zoom software.

Read the documentation. Don’t trust the marketing material. Check what exactly is encrypted. Is it only the chat functions or the entire package?

Further Reading

Cox, Joseph. Zoom iOS App Sends Data to Facebook Even if You Don’t Have a Facebook Account. https://www.vice.com/en_us/article/k7e599/zoom-ios-app-sends-data-to-facebook-even-if-you-dont-have-a-facebook-account

Kenyon, Miles. FAQ on Zoom Security Issues. https://citizenlab.ca/2020/04/faq-on-zoom-security-issues/

Krebs, Brian. ‘War Dialing’ Tool Exposes Zoom’s Password Problems. https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/

Paterson, Colin. Archers fan event invaded by Nazis and pornography. https://www.bbc.com/news/entertainment-arts-52243209

Setera, Kristen. FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic. https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic