Zoom has seen an incredible up-tick in their user base during the COVID-19 pandemic. Between schools, businesses, and individuals just trying to stay connected with family, Zoom has been one of the most popular video conferencing solutions to meet everyone’s newfound needs in this new remote and socially-distanced environment. With all of this increased attention though, there has also been an increase in the security issues associated with the Zoom platform. In this blog, we’ll review some of the issues that have come up and provide some practical Zoom security tips to keep yourself secure on the platform.
Zoom Security Concerns
In this section, we will cover the major Zoom security issues that have been uncovered and exploited within the platform and discuss the risks.
Issue 1 – Zoom Bombing
The most popular issue that has circulated the news is “Zoom Bombing”. This occurs when an unwanted party joins your zoom call. This could be embarrassing if you are having a business meeting, and has even gone so far as to have inappropriate images and videos in kid’s classrooms where Zoom is being used for school. Most of the time this is a prank, but it has led to some pretty bad situations that the FBI has published warnings about. As of November 16, Zoom has released a new feature that allows users to report disruptive participants and allows the host to kick that user out of the meeting.
Issue 2 – End-to-End Encryption
Zoom has gotten its hand slapped by the FTC on this one. Essentially, they misled users that there was end-to-end encryption when there in fact was not. This is important, because encryption ensures that no user can intercept the packets on the network and view your session. This encryption may be protecting things in communications like intellectual property, personal information, etc. This has since been fixed, and their actual end-to-end encryption went live on October 27th.
Issue 3 – Mac Spying
In July, a security researcher named Jonathan Leitshuh, showed that Mac users who had the app installed, even if they later removed it, could have their webcam spied on. This is a very serious issue, as you can imagine. The good news is that this has been fixed.
Issue 4 – Windows Remote Code Execution
While this only affected Windows version 7 and earlier, back in July security researches uncovered a flaw in the Zoom client that would allow an attacker to completely take over your computer. This has since been fixed.
Issue 5 – Cisco Talos Vulnerabilities
Back in June, Cisco Talos found 2 critical vulnerabilities with Zoom. The first entails sending a specially crafted GIF in chat to force code execution. The second involves sending a compressed file in chat that, due to the nature of how Zoom stored and opened those files, would allow an attacker to install malware on your machine. These have both been fixed.
So How Secure Is Zoom?
Looking at this laundry list of issues that Zoom has had in 2020 alone, a very prudent question to ask is whether it is really safe to use or not? Ultimately, all of the vulnerabilities presented have been fixed. However, two things should be considered.
First, typically when an application is developed insecurely and security is an after-thought, there are going to be issues. The sheer number of issues uncovered is indicative of the fact that this application was developed to work, but probably didn’t security being engrained from the get-go. Where there is smoke, there is usually a fire. What this means is that even though all of these vulnerabilities are remediated, there are very likely others that have not been uncovered as of yet.
With that being said, Zoom has been in the spotlight all year. They have had some of the best security experts on the planet researching and trying to find vulnerabilities associated with it. Additionally, Zoom has done a good job of quickly remediating and patching all of these unearthed vulnerabilities. Most of the software you use on a regular basis has not had the same kind of attention. Because of that, it is likely that most of the major vulnerabilities have already been discovered as a result of all the attention, so Zoom may be the most secure platform out there.
Tips for Using Zoom Securely
First, protect your Zoom account itself. This includes using a strong password (and a password manager) for your account. This should also be different from all your other passwords for things like your work computer, Facebook, etc. Additionally, Zoom now supports multi-factor authentication, meaning if an attacker gets or guesses your password, they will still need access to your phone. This reduces the likelihood that they’d be able to gain unauthorized access to your account even further.
Second, ensure your Zoom client is running the latest version. Regularly update this. Even more, if you use the web client instead of installing it, it will always be using the most up to date version.
Finally, protect your meetings. Ensure you are using password protected meetings and only sharing the meeting information with attendees.
Give us a shout if you want to discuss any Zoom security issues further, we would love to talk through how you are using Zoom, and what other security considerations might be applicable to any other remote work activities going on at your organization.