Zoom vulnerabilities: how to stay secure in lockdown?
With billions in lockdown, people are finding new ways to stay in touch and keep working from home. As a result, some apps and services have seen a meteoric increase in popularity — perhaps none more so than Zoom. This video communication platform allows users to stream presentations, host meetings, and even provide university courses remotely.
That's not to say that it’s all been smooth sailing for Zoom. With its sudden rise to prominence, a range of concerns and security issues are surfacing. From encryption to trolling, here’s everything you need to know about the latest Zoom security vulnerabilities.
What is Zoom?
Zoom offers a variety of useful functions, with video conferencing at its core. It’s become a popular communication platform for corporate teams, universities, and even government bodies. That's thanks to its simple interface and easy screen-sharing options.
The service has been live since 2011, and throughout the last decade, many businesses have adopted it as a streamlined communications solution. By 2019, the company had managed to build an active base of around 10 million users. But that skyrocketed to a staggering 300 million in the last four months.
Educational authorities in Italy were quick to pick up on Zoom as a way to keep universities in action while students stayed home. In the US, it’s now standard practice for government ministers to meet on the app. Across the world, Zoom is a key part of lockdown life.
So where’s the catch?
Zoom security vulnerabilities
With such unprecedented growth, some criticism was inevitable. Zoom came under increasing scrutiny during the first quarter of 2020, with many raising alarms over security vulnerabilities and questionable practices.
A feature that allowed bosses to track employee eye movements, flagging up a lack of attention during meetings, was an early controversy. That feature — which was removed following a backlash — was just the tip of the iceberg.
In its defence, the company has been quick to respond to complaints. After warnings that the app exposed Windows passwords to other users, Zoom offered a patch to remove that weak spot. But another problem soon dwarfed this one and was not so easy to solve.
That problem was Zoombombing.
What is Zoombombing?
Some of the most negative — and eye-catching — headlines about Zoom have related to Zoombombing. This term refers to a trolling tactic in which strangers force themselves into other people’s meetings.
It has been easy for malicious actors to find and disrupt unsecured video conferences. This led to a string of incidents that range in severity, with trolls spamming offensive material, slurs, and sexual content into the Zoom calls of everyone from French students to American state officials.
The primary issue is that, until recently, accessing a Zoom conversation depended on a URL or a direct link. It was easy to track these down, either by searching the internet for particular URL components or by finding the links online.
Some educational bodies made the mistake of posting their links publicly so that students could easily find particular presentations. This left the door open for the kinds of disruption and criminal behavior that has since plagued the app.
There's good news. A new software update will now require anyone entering a Zoom call to use a password, which can be sent to participants in advance. This should limit the extent to which people can force their way into conversations, and might finally put an end to this particular problem.
Encryption and security
Zoom’s marketing materials initially implied that the service used the AES-256 security protocol, a gold standard in encryption. Users were assured that even the company itself could not access the content of videos and messages on the app, but that wasn’t the case.
In fact, Zoom was relying on AES-128 encryption, which is a weaker option and does not offer the level of security the company advertised. That also meant that Zoom could potentially view the content of private communications, suggesting a lack of transparency on its part.
Once again, there’s good news. The same update that offers a potential solution to Zoombombing also provides genuine AES-256 encryption. It might be late, but this will raise the standards of security considerably.
How to be more secure on Zoom?
Use waiting rooms
Using the waiting room function will give hosts more control over who enters their conversations. This allows you to screen anyone attempting to access the call. It's not a completely watertight system yet, but it goes a long way to reducing the risks.
Keep your app updated
To its credit, Zoom is responding to the deluge of complaints and will hopefully be able to resolve many of them with the newest update. However, there will almost certainly be new issues and more patches to download. It’s vital that you keep the app updated and use only the latest version, to ensure that you’re getting the fixes you need to stay safe.
Be ready to combat Zoombombing
The new update may spell an end to this particular form of trolling, but it's worth preparing for the worst. Even if someone manages to Zoombomb your call, you can still counter their efforts. Access your Participants List to lock the call, mute intruders, and expel anyone who’s forced their way in.
Use the presentation function
Unless you need a back-and-forth dialogue in your call, corporate teams should use the webinar presentation function. This can limit disruptions and still allow for some meetings to progress. If participants are just viewing a one-way presentation, you won’t have to worry about someone hijacking the call.
Zoom - going forward
Like any business going through a transformative period of expansion, Zoom is still working out the details. Its security protocols get better with every update, and for many, it will continue to provide an essential service during the lockdown.
That being said, it’s worth bearing in mind its weaknesses, and taking any steps you can to protect yourself. This is not a perfect service yet: its long-term success depends on the forthcoming updates.