Network Security, News Blog

Zoom Security Concerns

Posted on by Mike Herrington
16
May

Zoom Security Concerns

Businesses around the US have sent employees home to work following COVID-19 shelter in place orders.  This has caused a huge influx of users to video conferencing applications like Zoom.  However, security of these products is always a concern, and Zooms complete lack of security is apparent in recent media coverage. Frankly, it has been a bloodbath.  Deservedly so in this writers opinion.  The number of articles related to zoom security concerns in the media in the last couple of months has been astounding.  Here is a very brief rundown of all that has been happening with Zoom.  You can find additional details from our friends at CNET.

Timeline of Zoom Security Issues

  • March 26th – Motherboard Investigation: Zoom iOS app sending user data to Facebook
  • March 27th – Zoom removes Facebook data collection feature
  • March 30th – The Intercept Investigation: Zoom does not use end-to-end encryption as promised. Bugs discovered.  Windows Zoom bug opened people up to password theft.  Another bug allowed malicious actors to control zoom users microphone or webcam.  Another vulnerability allowed zoom to gain root access on a MacOS desktop.  First class action lawsuit filed.  Letter from New York Attorney General Sent to Zoom about security concerns.  Classroom Zoombombings reported.
  • April 1 – SpaceX bans Zoom. More Security flaws discovered – Zoom leaking users email addresses and photos to strangers.  CEO Yuan issues an apology and says the company will enable waiting room and password protection for all calls.  They will freeze all feature updates to focus on security.
  • April 2 – Security researchers reveal automated tool that can find 100 Zoom meeting IDs every hour. New York Times reports that data-mining feature on zoom allowed some participants to have access to LinkedIn data from other users.
  • April 3 – Washington Post reports that thousands of recorded video calls were left unprotected and viewable on the web. Zoom apologizes again to substandard encryption.  Second Class action Lawsuit filed.  Congress requests information from Zoom.
  • April 4 – Another Zoom apology from CEO Yuan.
  • April 5 – Calls mistakenly routed through Chinese whitelisted servers.
  • April 6 – Some school districts ban Zoom. 352 compromised zoom accounts found on the dark web.  Zoom seeks to grow its lobbying presence in Washington.  Senator Blumenthal calls for an FTC investigation into Zoom over privacy and security issues.  Third Class action lawsuit filed.
  • April 7 – Taiwan bans Zoom from Government use.
  • April 8 – Fourth lawsuit filed. Google Bans Zoom.  Zoom hires new security advisor and council.
  • April 9 – Senate to avoid Zoom. German Government warns against Zoom use.
  • April 10 – Pentagon restricts Zoom use.
  • April 13 – 500,000 zoom accounts sold on hacker forums.
  • April 15 – Hackers discover two critical exploits that perfect for corporate espionage, and are selling them on the dark web for $500,000.
  • April 16 – Two new massive zoom exploits uncovered.
  • April 20 – Zoom to create a “report user” button to report abusive users.
  • April 21 – Holocaust memorial zoombombed with Hitler images.
  • April 22 – Zoom rolls out security update with better encryption.
  • April 28 – Intel Report: Zoom could be vulnerable to foreign surveillance.
  • May 7 – Zoom buys a security company Keybase to strengthen security and encryption.

Somehow still growing

Most of our readers will agree after reading through this tale of woe that Zoom does not seem to give two hoots about security.  Despite the beating that they have taken over zoom security concerns the user counts continue to climb.  In fall of 2019, Zoom had a user base of about 10 million users.  Recent information for April put that number up to 300 million. So why are people still using the product with all of the security holes?  It is the simplest and easiest to use interface on the market.  It has quickly become the Kleenex of video conferencing.  In addition, most users are not nearly as concerned about security as they should be.

Should we use Zoom

The simple answer to this is no.  If you value your privacy and security, you should stay away from Zoom.  Numerous other products on the market fill the same need and are MUCH more secure.  Microsoft Teams is a great solution for simple video conferencing with FAR superior security.  Google Hangouts is another great option.  Use those products instead.

I’m going to use Zoom anyway

If for whatever reason you choose to use Zoom anyway there are several things you can do that will offer you some basic protection.
  1. Do not share your meeting ID online. If you do, you are really asking to get zoombombed.  Take caution about who you share meeting invite details with and never post it in a public place.
  2. Use a 1-time meeting ID. This is a new security feature zoom has put in places that allows for additional security.  Take advantage of it.
  3. Set a password for your meetings.   No exceptions for any reason.
If you follow those three steps, it will at least make it less likely that your meeting will be zoombombed.  Keep in mind that none of these steps addresses the risk you take when Zoom shares your personal data.

Show us a better way

The professionals at i.t.NOW are always available to discuss your options for alternate solutions to Zoom.  For us, security is a priority.  We want to work with you and your team to keep you safe.  We acknowledge that we have to find ways to stay productive during this trying time, but as illustrated by the timeline above Zoom is not the answer.  Call us today to discuss how Microsoft teams can offer you all the functionality you need while keeping your data secure.
Mike Herrington