Following on from the FBI warning about using the American remote conferencing services company Zoom, due to the rise in “Zoombombing”, please see below for comments from cybersecurity expert on what the real risk of using Zoom and how to mitigate these risks.
Amid the global pandemic, companies and individuals alike have been hastily adjusting to remote operations and increasingly utilizing digital communication platforms such as Zoom for work and personal use cases. As such, Zoom’s daily users have increased almost 2,000% in the past four months. However, this rapid adoption of Zoom has unearthed the discovery of personal Zoom videos left viewable on the open web, discoverable through simple online searches. With personally identifiable data as well as work and intimate conversations exposed, bad actors now have the ability to exploit this information and launch phishing attacks or other scam campaigns against Zoom users.
Companies that hundreds of millions of global customers are relying on for business continuity and/or personal communications during this challenging time, must have stringent security measures in place. Every saved recording must require a unique file name that is not identical to any other recording, especially given that these files can be saved openly on the web in misconfigured public storage buckets. Negating necessary security steps will put the personal privacy and sensitive data of Zoom’s users at risk.
Due to the current crisis and subsequent increase in demand for their product, Zoom may have had no choice but to speed up efforts and in doing so, made the tough choice between innovation and security leading to the resulting data breach. Had they been leveraging an automated security strategy however, they would have never had to make that choice. The reality is that companies can accelerate innovation without loss of control in the cloud by leveraging automated security strategies that grant the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes developers should follow—all on a continuous, consistent basis. As a result, companies can innovate while maintaining security, they simply must adopt the proper cloud strategies and solutions.
The main ongoing privacy concern with Zoom is that the employees of Zoom can view people’s video/audio. This doesn’t mean they do, but architecturally they can. The same is also true for Teams, Skype and most other video conferencing systems.
Separate from the overall way that Zoom works, there have been several publicly disclosed vulnerabilities:
1) 2018 – Manipulate meetings/send fake messages
2) 2019 – Force users to join malicious video calls
3) 2019 – Critical code execution
4) 2019 – Webcam information disclosure
5) 2020 – MacOS Local Privilege Escalation
There have been some serious flaws affecting almost all Zoom products. And in some cases, the fixes that have been put in place have been undone by later patches. While Zoom does seem to have more than their fair share of vulnerabilities, it is not the only video conferencing tool with these kinds of flaws; for example, Cisco WebEx had an extremely critical code execution vulnerability that was found in 2017.
There is definitely an increased risk with using any application like Zoom/WebEx. But whether that risk is acceptable is up to the organisation. For some businesses, the features outweigh the risk, for others, the risk is too high no matter what the features are. Like anything – you have to take a risk-based approach to the tools and technologies used.
One point to also consider is that Zoom is getting a significant amount of attention and so far seem to be proactively responding and actively improving their security posture. There are many, many more flaws in many, many other products that are simply not even known about yet or haven’t had the attention for them to be found.
Key steps you can take to help mitigate risks:
1) Ensure that any local Zoom clients and browser plugins are kept fully up to date.
2) Ensure that all Zoom meetings have strong passwords set which are not ‘shared’ between separate meetings.
3) Disable the ‘telephone dial-in’ option wherever possible. The reason for this is because you only need a meeting ID to connect via telephone dial-in, not the meeting ID and a password like you do for computer-based audio.
4) Monitor participants of the meeting and ensure that only those expected at present.
5) Ensure that the username and password you have set for you Zoom account are unique and not shared with any other system or service.
6) Enable two-factor authentication on your Zoom account.