We’ve talked about how the rapid pivot to remote work has introduced a tremendous amount of new cybersecurity risks to companies. Teleconferencing has become an absolute necessity and some of the more popular teleconferencing applications have ran into widespread issues due to being overwhelmed by the volume of users. This has opened the door for relative newcomers, like Zoom, to fill the gap for impatient companies.
As we’ve warned before, however, implementing new software and services without considering cybersecurity implications is a recipe for disaster. Now, companies that have switched to Zoom have been forced to confront several newly discovered security issues within the platform.
Perhaps the oldest exploit in hacking is social engineering hacks. Social engineering can be accomplished without writing a line of code and usually just requires a bad actor to ask for sensitive data through means of deception. In the case of Zoom meetings, all that anyone needs to enter a Zoom meeting is the meetings Zoom code and it appears deception may not even be necessary – some people are just asking for codes online.
This has led to video calls being disrupted with hate speech, cyber harassment, pornography and threats from unknown users who have entered the calls just by obtaining the code. The phenomenon known as Zoombombing, has become a major embarassment for the platform.
In one of the most widely reported stories, a 17 year old named Malissa was able to build a considerable TikTok following by requesting Zoom codes from Instagram followers and crashing class lectures for social media attention. She even posted videos of her crashing classes while bringing along 60 other people to maximize the disruption. There is even a Twitter account called @zoom_codes that is coordinating Zoombombings.
While disruptions in classrooms is a problem, the bigger concern is potentially exposing sensitive information and client data to a bad actor who is eavesdropping on a Zoom conference that is not secure. This is not only potentially damaging to the business but could also impute compliance liability for failing to protect user data depending on the industry and state where the business is located.
While there are password and waiting room features for Zoom, they are not enabled by default and many businesses have started using the platform without being aware of all the security implications. The problem has become such a concern with reports of widespread disruption across the country, that the FBI has released a warning specifically for Zoom.
End-to-End Encryption and Third Party Data Collection
While Zoombombing may be embarrassing and disruptive there are other concerns with Zoom that are potentially more damaging. One of the first security revelations about the platform was that Zoom was covertly sharing user data with Facebook without proper notice. Zoom later removed the code that transferred data to Facebook after public uproar but the company now faces class action lawsuits for their breach of user privacy. In some states, data privacy regulations may also make Zoom’s actions illegal.
Perhaps even more concerning is Zoom’s misrepresentation of its encryption. Zoom had advertised their video calls as having end-to-end encryption but that was discovered to be completely false. Instead the software uses a unique encryption framework that uses key management system servers to generate keys which are then distributed via TLS encryption.
A study by the University of Toronto found that a large number of these key management system servers are located in China, and any key generated may be legally obligated to be disclosed to Chinese authorities. The researchers concluded that Zoom is “not suited for secrets.”
This lack of end-to-end encryption means that there are easier pathways for bad actors to exploit Zoom. A former NSA hacker was able to identify two new security flaws of the platform that allow an attacker to not only access a victim’s device but also continually maintain access to install malware or steal sensitive data.
This comes after a pair of Zoom zero day exploits were found including a bug that was identified that allows a hacker to steal Windows passwords. Again, this highlights the necessity of proper business continuity planning and employing an effective Incident Command System that can provide a hierarchy for managing new platforms and providing security best practices. If you have switched your office to working remotely and are unsure about your cybersecurity now, reach out to us for a free impact assessment.
Tips for Securing Zoom Meetings
If you have no other video conferencing solution and must use Zoom there are some best practices we can suggest to keep your meetings secure:
- Create a Meeting Password – In the Settings tab navigate to the Meeting tab and set the password setting for all of your meetings;
- Disable “Join Before Host” – In the Settings tab navigate to the Meeting tab and scroll to “Join Before Host” and toggle the setting off;
- Disable “Allow Removed Participants to Rejoin” – In the Settings tab navigate to the Meeting tab. Click “In Meeting (Basic),” scroll to “Allow Removed Participants to Join,” and toggle the setting off;
- Disable File Transfer – In the Settings tab navigate to the Meeting tab. Click “In Meeting (Basic),” scroll to “File Transfer” and toggle the setting off;
- Set Screen Sharing to “Host Only” – In the Settings tab navigate to “Screen Sharing. Under “Who can share?” select “Host Only.”