With Americans working from home at an unprecedented rate with very little notice, some staff members are looking for options that allow them to continue their work — often without gaining the input or recommendations of their IT teams. The recent shift to a fully remote workforce has moved the spotlight of cybersecurity over to many of the audio and video conferencing platforms that we rely on now more than ever. One of these platforms being Zoom, a very popular video-conferencing application that many of our customers leverage daily. While Zoom is used by millions of individuals each week, it’s vital to keep in mind that there are some potential risks associated with this easy to use freemium software without taking advantage of some common configuration and security settings to secure your meetings and usage on the platform. It is also important to note that this particular issue is not necessarily unique to Zoom, and can also occur on other platforms where meetings are not appropriately configured.
Zoombombing: How Can You Mitigate This Issue?
With the news alight with issues of individuals popping into Zoom meetings with hate speech, pornography and simply being disruptive, the security of the Zoom communications platform has taken more than its share of heat in recent weeks. While there are admittedly a few challenges to consider when you are holding remote meetings, the good news is that the team at Zoom is being incredibly responsive to the needs of the user base, taking swift action towards resolution. Here are suggestions that will help maintain your security — and patience! — during a workday heavy with remote meetings.
What is Zoombombing?
While it may sound like a fun term that means having your kids or pets pop into the back of your video conference during an important call, Zoombombing is actually a much more serious security flaw with this popular video conferencing platform. Unfortunately, Zoom meetings can be “broken into” by unauthorized attendees; individuals who are simply doing a web search for URLs that contain “zoom.us” and then joining the meetings. Other companies are publicly posting links to Zoom meeting rooms on corporate websites and social media, providing a virtual welcome mat for uninvited guests. While these issues are troubling, there are additional security flaws within Zoom that need to be addressed to keep your organization’s cybersecurity intact.
Stay Aware of Issues to Prevent Zoombombing and Boost Security
There are some ways to mitigate the possibility of Zoombombing and ensure that your company communications remain secure. This type of intrusion is very troubling for organizations because someone entering the meeting without prior authorization could capture screenshots, audio recordings or disrupt the meeting with unwanted messaging. Zoom has advanced privacy and security settings that will help keep unauthorized individuals out of your Zoom meetings, including:
- Enable meeting passwords by selecting the “Require meeting password” under the ‘Meeting Options’ area within Zoom
- Turn on the waiting room feature, which allows the host to control how and when others enter the meeting space
- Disable the ability for others to join before the host is there to moderate the conversation
- Under ‘Advanced Sharing Options’ on the ‘Share Screen’ area, ensure that ‘Only Host’ is marked in the ‘Who Can Share’ area to limit the possibility that others could take visual control of the meeting
- Reduce the possibility of exposing your Zoom password in Outlook by only scheduling meetings using the Zoom Outlook plug-in (keeps your password hidden from others viewing your calendar)
- Immediately remove unwanted attendees from your webinar or Zoom meeting by navigating to ‘Manage Participants’ ‘More’, selecting the individual’s name and then clicking ‘Remove’
- Once all attendees have joined your meeting, the host can ‘Lock’ the meeting by selecting ‘Manage Participants’, ‘More’ and ‘Lock Meeting’
While these steps may not block every potential security risk, they can help your team have more control over the possibility of Zoombombing and improve the overall security of your private corporate meetings.
Zoom has also published a helpful security reference that we strongly recommend you review as well. Click here to view.
Zoom Client and Platform Security Concerns
While there has been a fair amount of recent coverage in the news and online about Zoom’s security, the company has moved quickly to mitigate any issues that were found. They have even gone so far as to pause all other development efforts to focus on other challenges as they arise and to be sure they’re managing expectations and maintaining a reliable platform as usage continues to rise. Here are a few of the security issues and what is already in process in terms of resolution.
MacOS Physical Access Flaw
One flaw discovered was for MacOS, where an attacker with physical access to a Mac running Zoom could inject code into the Zoom Installer allowing it to obtain “root” permissions, the highest available permissions on a computer. Malware installed in this manner would essentially have full access to the system and inherit any permissions that the Zoom client has such as Audio and Video access. At the time of this writing it remains unpatched but luckily requires physical access to the device making this vulnerability much more difficult to exploit – especially with everyone staying at home.
Potential Windows Credential Leak
Security researchers recently discovered a flaw in the way the Zoom chat handles URLs. It was discovered that while chatting with a nefarious person, that individual could send you a link to a UNC Path (such as \\192.168.1.1\SharedFolder) and Zoom would convert this to a clickable link. When clicked, your Windows computer would automatically try and authenticate to it, sending this potentially malicious system a hashed version of your computer’s password. Luckily, Zoom has pushed an update to the Windows client addressing this concern that is available for download here. If you have automatic updates enabled, you should receive a popup asking you to install the update.
Zoom Sharing Analytics with Facebook
Most people would be surprised about the level of analytics that is being captured by Facebook and other social media platforms. In an issue that was immediately resolved by Zoom, the iOS application for mobile was found to be sending analytics data to Facebook, even if you did not have a Facebook account. This incident, according to Zoom, was due to the use of Facebook’s iOS SDK used for allowing users to “Login with Facebook” a popular method for non-enterprise users to create a Zoom account. This was addressed and fixed by Zoom once it was brought to their attention, and Zoom also recently shut down a LinkedIn integration that the company felt was sharing too much information with the popular networking platform.
Zoom Leaking Photos and Email Addresses for Free Users
In perhaps the most troubling of their grievances, Zoom has a feature called Company Directory that automatically builds a list of all people who share the same domain name. For instance, if you signed up for Zoom using an @coretelligent.com email address you would be added to that directory. Zoom maintains a blacklist of domains that are publicly used such as Gmail, Hotmail and Yahoo, but with new domains being created every day it is hard to stay ahead of the curve. Fortunately, this feature does not present additional dangers to most organizations as your company most likely does not provide free and public email addresses to those outside of your organization.
Understanding Zoom’s Encryption Technology
There have been recent articles around the internet calling out Zoom for potentially misleading marketing surrounding their encryption practices. Even though Zoom has traditionally marketed their “end-to-end encryption”, the platform does not use full end-to-end encryption on its video and audio calls. End-to-end encryption is a technology where the audio or video is encrypted in transit from one user directly to the other user. Currently, Zoom calls are encrypted in transit but all go through Zoom servers, meaning that there is a point where that information can be decrypted. For those concerned with the potential privacy implications, Zoom addressed this encryption misunderstanding in their own blog post where they stated: “Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”
If you have questions or concerns about Zoom or other telecommunications technology that your teams are using during the period of social distancing due to COVID-19, do not hesitate to reach out to the professionals at Coretelligent. Our team is prepared to help organizations of any size ensure that you have the secure and reliable infrastructure that you need during the expanded remote work environment and beyond. You can reach our team of technical experts by calling 855-841-5888 or via email to firstname.lastname@example.org schedule your complimentary initial consultation. You can also view our free resources and recommendations with details on how to maintain critical business operations during the current coronavirus crisis online.