Since face-to-face meetings are out of the question when most non-essential workers are under stay-at-home orders, many companies have opted for the teleconferencing app Zoom.
With the recent revelation that Zoom’s teleconferencing system is not always the most secure, it is still one of the least expensive and user-friendly options for holding meetings during the coronavirus outbreak.
Zoom has seen its user numbers exploded during the pandemic, but that has left it exposed to a number of different types of attacks and other problems like videos being exposed on the web. There are many alternatives to Zoom, but if you want to continue using the service, you should understand the security implications and what you can do to protect yourself, other participants and your company.
The risks
Because of complaints, Zoom in mid-April said it was working to fix a number of bugs and security holes in its system.
While some issues have plagued the system for a few years, others were recently discovered as usage surged in the first three months of 2020. Here’s a list:
Stolen passwords — One of the more recent vulnerabilities that was discovered was one that allowed hackers to steal Windows passwords.
Eavesdropping — Two other newly discovered holes could let hackers remotely install malware on affected Macs and eavesdrop on meetings.
Phishing attacks — Hackers are creating fake Zoom links and websites to lure people to log in. In so doing they can steal financial details, spread malware and steal Zoom ID numbers and passwords, which allows them to infiltrate meetings.
‘Zoombombing’ — This occurs when uninvited guests gain entry to private meetings. This typically happens for large events after log-in details were announced on social media, but it is happening in smaller meetings as well. Typically, these infiltrators will disrupt the meeting with profanities and insults or by streaming porn for the other participants to see.
Hackers are using the same techniques to eavesdrop on or disrupt business meetings.
Meeting recordings exposed — This can only happen if the meeting organizer records the meeting. A Washington Post investigation found thousands of private Zoom videos that had been posted on the web. The exposed video calls included private business discussions, casual conversations with friends, therapy sessions, and nudity. Many of these videos seem to have been made public by mistake.
Meetings are typically not recorded. The default setting on Zoom does not record meetings. But meeting hosts can save the videos on Zoom’s servers or their own computers without participants’ consent.
Tips to keep your Zoom meetings private
- Don’t post your Zoom meeting IDs publicly. Send them privately by e-mails or using a messaging app.
- Create a new ID for every meeting. Don’t recycle old ones from prior meetings.
- Adjust the Zoom settings to require participants to enter a password to access the meeting.
- Enable Zoom’s “Waiting Room” feature. This lets you keep participants in a digital queue until you approve them to join the session. Beginning April 4, Zoom enabled the feature by default, requiring additional password settings for free users. Zoom has a guide to the feature on its website.
- If you are worried about abuse, you can turn off a number of features, such as private chats, annotation and file transfers.
- Keep the Zoom desktop app up to date, so that any patches Zoom makes to security vulnerabilities are added to your device.
- If you are concerned about hackers accessing your data and you don’t need to screen share, you may want to use Zoom only on mobile devices such as a smartphone or tablet. These seem to be less susceptible to hacking.
- Build awareness of Zoom phishing scams into user training programs. Users should only download the Zoom client from a trusted site and check for anything suspicious in the meeting URL when joining a meeting.
- Ensure all home workers have anti-malware protection, including phishing detection installed from a reputable vendor.