Over the past few months, the teleconference software Zoom has seen explosive growth. It gained 2 million new users in the first two months of 2020—and that was before the World Health Organization declared the coronavirus outbreak a pandemic. With so many people – including myself – now relying on video conferencing for contact with their friends, family and colleagues, it’s no wonder Zoom has seen a significant increase in its popularity. But the firm has also attracted some negative press recently for issues related to its privacy and security.
A number of issues with Zoom have attracted public attention, most notably call hijacking or “Zoom-bombing.” Calls that are not set to private or password-protected can be accessed by anyone who inputs the nine- to 11-digit meeting code, and researchers have shown how valid meeting codes could easily be identified.
A Sketchy Installer
First, there was the problem with Zoom’s installer, which took over admin privileges to gain root access to a user’s computer. That access could be abused to surreptitiously install programs without the user’s knowledge, including the ability to access a user’s webcam and microphone. In an unprecedented move, Apple silently pushed out an operating-system update to disable it.
Questionable Routing
There are questions about where Zoom is sending the data it collects from your computer. Zoom was found to be sending data to Facebook, even if you weren’t logged in to a Facebook account. Zoom also apologized this month for mistakenly routing traffic through China, where the internet is heavily monitored by the government. Most tech companies operating in China have strict separations between domestic and international online traffic.
Zoombombing
There’s also the rash of “Zoombombing” that has gone on. People are guessing or finding Zoom meeting ID numbers online and entering uninvited to leave disruptive comments or share disruptive media using Zoom’s screen-share feature. Finding open meetings, which have IDs from nine to 11 digits, is relatively simple and has already been automated. Until a patch issued this week, the meeting ID would often be highly visible in screenshots.
What Can You Do?
To maintain the security of your next meeting, our recommendations are below:
- Password protect your meetings
- Lock down your meeting once the conference starts
- Turn off participant screen sharing
- Use a randomly-generated ID
- Avoid file sharing
- Remove nuisance attendees
- Check for regular updates.
- Unauthenticated users should be held in a waiting room so the organiser can check their identity before admitting them to the call
- Make sure a meeting host monitors the participants list and ensures no unknown participant joins
- Be careful with meeting recordings and get consent from the participants
- Rather than downloading and installing the Zoom app, you can increase your security by using the web interface to access your meeting.
Additional content: www.zdnet.com, www.techxplore.com, www.nymag.com
