To Zoom it may concern: risks & tips from a cybersecurity expert
With little notice, the world needed an alternative to in-person meetings - and it needed it fast.
With little time for brands to market their solution, Zoom - already established within remote teams - quickly became the go-to for locked-down businesses across the globe.
In recent weeks the platform has not only seen a spike in users and share price but a much larger share of public consciousness.
During the day, it is a virtual meeting room for a team to catch-up. In the evening, it becomes the world’s local pub, as friends and family turn to the video conferencing platform to hang out and host virtual pub quizzes.
But with that new spotlight has come warranted concerns over the security of the platform.
As the dust begins to settle on a DIY remote workforce, can the platform be more than a necessary stop-gap? Should businesses look elsewhere for increased security? While presumably a welcome boost, can Zoom rise to the challenge of this influx?
Carl Morris, Security Researcher at Orange Cyberdefense, has laid out the risks and tips to minimise cybersecurity flaws.
The term ‘Zoombombing’ was only coined recently, so you’d be forgiven for not knowing it. Put simply, it describes outsiders joining a currently running Zoom session without invitation.
Who might you expect to ‘Zoombomb’ your meeting? Morris tells BusinessCloud it could be anyone, as the method doesn’t require expect hacker credentials.
“The attack doesn’t necessarily require any knowledge of hacking or Zoom’s specific security settings,” says Morris.
“It can be as easy as simply Googling for URLs that include Zoom.us, which can turn up the unprotected links of multiple meetings that anyone can join.”
To combat the problem, Morris suggested that all virtual meetings should be password-protected with a strong randomly generated password.
“Don’t allow attendees to join before the host and instead enable the ‘Waiting Room’ feature so a host has to allow participants to join,” he advises.
“Additionally, screensharing should be restricted so only the host or a person the host has selected can share content.”
Post GDPR it’s assumed that employees handling personal data are at least broadly aware of the care with which personal data is handled. But that training has typically focused on databases, emails and phone calls.
Video conferences are a different beast, and one many businesses are entirely new to.
Morris says that although the medium is different, the same level of care must remain.
“The default settings of videoconferencing services such as Zoom are, rightly or wrongly, usually designed with ease of use in mind so users can get up and running as quickly as possible,” he says.
“However, users need to take some responsibility and should take the time to familiarise themselves with the security settings that are available."
He advises that anyone using videoconferening should ensure that no confidential or sensitive information is visible in the webcams feed, such as on a whiteboard in the background or papers on a desk.
He also suggests that “care should also be taken when sharing or presenting information to the other attendees” and steps should be taken to only share the view of specific application on a desktop, rather than sharing an entire desktop with other attendees.
“This removes the risk of attendees seeing other documents the host may have open or information leaking from email or instant messaging notifications being displayed.”
Taking photos of your conference
The novelty of your first successful video conference might make it irresistible to snap a photo and share the accomplishment on social media, particularly if the rest of your timeline is doing the same.
As innocent as this might feel, this poses risks, and gives a targeted attacker more information to work with.
Even Prime Minister Boris Johnson fell foul of this after tweeting a picture of a virtual cabinet meeting which included the meeting ID number, though Morris argues that it did have measures in place which would have prevented any unwanted participants from joining “what would have been a highly sensitive and classified meeting”.
“Would-be hackers can also obtain links to public meetings from the social media pages of less security-savvy organisations,” he says.
Morris advises that everyone should refrain from taking photos of their screen during a Zoom call to keep things safe.
“To minimise exposure to any risk, it is advisable that Zoom users refrain from sharing any images of Zoom meetings, or other collaboration tools, on social media, much in the same way as we strongly discourage any individual from posting any kind of personal information online, whether that’s an email address or the name of your favourite pet.
“It’s much the same with Zoom. Why give hackers any clues in their quest to bypass organisation’s security when it is unnecessary to do so?”
Suitability for medical, government and military meetings
Morris agrees with the Ministry of Defence’s decision to ban use of Zoom for conversations of critical national importance. He says Zoom would need to prove that it is suitable for all users, particularly those in government, military and medical roles, but is yet to do so.
“We should closely observe Zoom’s response to these issues to gauge how seriously it takes security and how capable they are of responding.”
He highlights the company’s recent admission that some calls were routed through China for non-China users, which its CEO Eric Yuan called a mistake.
“In an era of heightened nation-state cyber activity and increased geopolitical tension, if these accusations are proved to be founded, the MoD, as an organisation which deals with a huge amount of sensitive information, will likely believe they were justified in banning the use of the platform, as the app could become an important target for hacking by nation states,” he says.
Should businesses continue using Zoom?
Despite the cybersecurity concerns, Morris says it is no less secure than other forms of communication such as email.
“Videoconferencing brings with it different security risks that users and administrators need to be aware of, but that does not necessarily make it markedly less secure,” he says.
“Zoom has already announced that it has frozen the development of new features in order to concentrate on safety and privacy issues.
“[Zoom has] actually managed the balance between privacy and security against demands for features, control and performance relatively well in the past, and the company has certainly taken a quantum leap in terms of the quality and stability of their service.”
He says in the coming days and weeks, the firm should respond to demands from their customers by adding specific privacy control features for users to better manage video behaviour, which he said is something Zoom’s CEO has promised to do.
However, he says, use cases involving sensitive information might be another story.
“Here, customers might have specific requirements, for example regarding government-approved encryption standards that Zoom is not able to meet with its standard offering. “
He warns: “Any piece of personal information online is one more piece in the jigsaw puzzle that cyber criminals can use to penetrate defence and extract personal data.”