There has been a lot of buzz around the security issues and vulnerabilities around Zoom recently. We wanted to compile them for you in a concise and easy to understand way.
Zoom has found a way to make a very user-friendly and easy video conferencing system, unfortunately this has come at the expense of security. So before you jump into your next Zoom meeting take a minute to read these vulnerabilities and decide if continuing to use Zoom is worth the risks to your organization.
Here is a list of recent security issues you know know about and what you can do:
- Zoom installed a web server on Mac clients to run zoom without notifying users leaving the machine vulnerabilities - This has been addresses in mid 2019 Update your zoom application if you are on a Mac
- Zoom meetings allowed anyone to join by entering a random meeting ID - Zoom has lengthened their meeting ID's and blocked receptive attempts, It is recommended to add passwords to zoom meetings and not embed the password in the zoom URL
- Zoom leaks information to Facebook - Zoom has removed this functionality No action needed
- Zoom built in attention tracking to let the host know if you were not focused on the zoom application on your device - zoom removed this feature due to negative feedback No action needed
- In another Mac work around, Zoom hid code in their macOS installer that would install zoom before the user agreed to the terms and agreed to install Zoom - Zoom has updated their installer No action needed
- Zoom's end to end encryption really isn't end to end encrypted, without getting into the weeds (you can read them at https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/) - While Zoom does not follow standard encryption guidelines it is up to your organization to determine if the sensitivity of the meetings is worth the risk.
- Zoom shares all contact information with others who have the same domain in their email address - You can request zoom block this feature for your company/domain by visiting https://support.zoom.us/hc/en-us/requests/new
- Zoom automatically allowed any links in Windows, even links to local files and local servers - Zoom fixed this in April 2020 Update your zoom application if you are on Windows
- Zoom leaked participant information through LinkedIn - Zoom removed this feature in April 2020 No action needed
- Zoom frameworks used on Mac clients exposed multiple exploits allowing attackers to replace a part of Zoom's code to allow any software to be installed. An attacker could also gain access to the microphone and camera without the end users knowledge. - Zoom dressed this in April 2020 Update your zoom application if you are on a Mac
- Zoom allowed the participants of a meeting to see private conversations of any shared meeting recording - Zoom has not made any changes to this We recommend nothing private be shared inside Zoom chats, use another chat service
- Zoom has Chinese ownership, and while that is not abnormal for many companies, the issue is compounded due to the encryption Zoom uses only being deployed by Zoom where Zoom holds the encryption Keys. And due to China's government policy requiring that Zoom be obligated to disclose those keys if requested, it can leave your sensitive meetings open to the Chinese government. It is up to your organization to determine if the sensitivity of the meetings is worth the risk.
- Zoom exposes meetings to the web that are easy for anyone to find through a simple web search - If you have private meetings make sure not to keep them anywhere public and rename the recorded meeting file to keep them from being easily searchable.
Key Security Take Aways and Action Steps:
- Keep your Zoom version on your computer up to date as Zoom is constantly fixing security concerns
- DO NOT use zoom if you are concerned about the sensitivity of your meetings and their topics of discussions
- Set passwords for all zoom meetings to protect unwanted guests from joining
- Set all Meeting IDs to generate automatically
- Set Participants Video to Off. This way video does not start automatically for users
- Set Participants to Mute on Entry. This way users are muted when they enter the room and can un-mute themselves
- Make sure Waiting rooms are turned off as well, this prevents people from chatting prior to a meeting starting.
We hope this will help if you decide to continue to use Zoom, if you are looking for an alternative check out this list: https://9to5mac.com/2020/04/01/10-zoom-alternatives-more-secure-video-calls/