What You Need to Know about Zoom’s Web Conference Security

As we limit our physical interaction with others, we’ve been using video calling and conferencing platforms to communicate. From meetings to lessons and even just chit-chat sessions, Zoom has become a verb to us. However, Zoom has been brought up in the media for several security flaws and issues.

Working from home

COVID-19 has affected us tremendously the past few months. It is for everyone’s safety that we stay home and physically isolate ourselves from others. As a result, citizens have to work and study from home with online materials. More specifically, many of us have used online video calling and streaming platforms to keep in contact with our team leaders, supervisors, students, teachers and the list can go on. 

Use of video conferencing platforms 

As we work from home, we turn to our electronic devices to continue our work and school responsibilities. Meetings, conferences and even classes have mostly been replaced with live streams and web conferences worldwide. Zoom Video Communications was easily made the software of choice as it was free to use. Zoom’s active users have increased by 21% since the end of 2019. 

Communicating through an online platform may sound risky as a majority of people have access to the internet.Obviously, private conversations and classes should be kept private and uninterrupted. On that account, those who are using web conferencing and online communication platforms would want to face 0 cybersecurity issues. 

Zoom’s security issues

There have been several reports of security issues with Zoom over the past 3 weeks. As a result, companies have even suspended their staff from using the application.

SpaceX (Elon Musk’s rocket company) and Google banned all employees from using the Zoom application as they found security vulnerabilities.

Due to security concerns, government agencies in Taiwan, Germany and the United States were also told not to use Zoom and to use other softwares like those from Google and Microsoft.

Within the first few weeks of home-based learning in Singapore, there have been incidents that have occured. One involved obscene images being shared during a geography class call. As a precautionary measure, the Ministry of Education (MOE) even suspended the use of Zoom for 5 days. That was until Zoom introduced more defense mechanisms against hackers.

Zoom has been addressing and acting upon these security issues to provide a more secure and private webinar platform for their users. Founder and CEO of Zoom Eric Yuan has made several public apologies, acknowledging their security faults and promising improved security features. The company is also working on improved updates for the application. These improvements include waiting room improvements, encryption-standard improvements and a renewed focus on protecting health-related data).

Former Facebook and Yahoo Chief Security Officer Alex Stamos also joined Zoom as a security advisor.

Zoom’s security issues

Lack of security for user data

26 March – According to an investigation by Motherboard, Zoom’s iOS application was sending users’ data to Facebook. The Zoom application would notify Facebook of the user’s phone model, time zone, city and when they opened the app. Furthermore, there were advertising IDs created on the user’s device which was used by companies to target advertisements.Now that’s freaky. 

27 March – Zoom responded quickly and had the data sharing “feature” removed from the iOS application the next day. 

1 April – Another security flaw was found by Motherboard and Zoom was found to be leaking users’ email addresses and photos.This gives strangers the ability to call others through Zoom.

2 April – The New York Times reported on how Zoom had a feature that allowed participants of a call access the LinkedIn profile data of other participants – without asking for permission. In Colorado, at least six students and their teacher had their full names and addresses gathered by Zoom and could be used by its LinkedIn profile matching tool. 

2 April – An automated tool could find Zoom meeting IDs and gather information from several Zoom meetings. The tool was also able to generate meeting IDs (the codes to enter a private meeting) up to 14% of the time.

3 April – The Washington Post reported that thousands of Zoom videos (including personal ones) were available for viewing on the open web. These video calls included personal information and deeply intimate conversations. Many of the videos were recorded from Zoom’s software and uploaded onto an online storage space. Hosts of Zoom calls are able to choose to record them. These recordings are then saved onto Zoom servers or their own. 

6 April – Zoom accounts, along with their names, email addresses, passwords, meeting IDs and host keys, were found on the dark web.

8 April – Zoom released a software update which removed meeting IDs from the title bar while a meeting was ongoing. This slows down attackers who share screenshots of meeting IDs online.

13 April – Cyble, a cybersecurity firm, discovered over half a million Zoom accounts were being sold, some even being given away for free, on the dark web and hacker forum.

End-to-End encryption & Servers

30 March – The Intercept conducted an investigation which found that Zoom’s video calls weren’t end-to-end encrypted like they had marketed. This means that the audio and visuals of your calls can be accessed by Zoom. While this is concerning, you should know that it is difficult to have video calls be end-to-end encrypted because Zoom needs the audio to identify who is speaking during the call. Either way, they shouldn’t have promised end-to-end encryption when they couldn’t enable it.

3 April – A Citizen Lab Report found that Zoom was using a less secure encryption than they claimed. 

5 April – Zoom “accidentally” allowed calls to be made through Chinese servers. As a result, certain meetings were “allowed to connect to systems in China, where they should not have been able to connect”. The issue has since been fixed and Zoom explained that this incident occurred under “extremely limited circumstances”.

 Zoom bugs

30 March – Three Zoom bugs were discovered that made people vulnerable to hackers. Users could have their password stolen or even have their microphone or webcam hacked and taken over.

8 April – Hackers were looking for bugs and vulnerabilities in Zoom’s software to sell.

Zoombombing / Lesson interruptions

30 march – Zoombombing is the disruption of a Zoom call by someone who wasn’t supposed to be part of the call. These disruptors oftentimes screen share to display disturbing or sensitive images. One classroom Zoombombing incident occurred where hackers displayed a swastika on students’ screens.

2 April – 8chan forum users had planned to interrupt the calls of a school in Philadelphia.

3 April – Anonymous attackers were using social media to plan “Zoomraids” (coordinated Zoombombings). These raids disrupted (private) meetings and harassed attendees verbally as well as by displaying racist and pornographic imagery.

8 April – The Zoombombings went to another level with Artificial Intelligence (AI). Imagine the surprise when a Samsung Engineer Zoombombed his colleagues with Elon Musk.

8 April – Default settings for educators enrolled in Zoom’s K-12 program enable virtual waiting rooms and allow only the teachers to share content during class. From 5 April, all Free Basic and Single Pro users can enable passwords and virtual waiting rooms. Educators are also informed on how they can protect their video calls.

How to protect your streams on Zoom

Despite these security flaws, Zoom isn’t unsafe to use. As long as you know how to protect your conferences, you’ll be good for the most part.

If you are interested in conducting a webinar on zoom, you can adjust your video conference settings in the personal account menu.

• Do not allow people to join before the host (have a waiting room)
• Only allow authenticated users to join 
  • Viewers must have a Zoom account, this allows the host to keep track of the people in the conference)
• Password protected conferences
  • Only those who have the password can access the video call
• Do not enable screen-sharing throughout the stream
  • It is best to turn off screen-sharing
  • If necessary, only enable screen sharing (Host only) when it is needed and turn it off afterwards
• Do not enable far end camera control
• Enable the waiting room
  • You can choose the participants to be admitted into the conference
  • Participants in the waiting room can see and hear the conference but cannot interact with the host (like a one-way mirror)

Zoom 5.0

At the end of April, Zoom released a new update to improve the security of calls. Here are some of the changes made:

• Security icon
• Updated host controls
• Waiting room default on
• Meeting room password complexity and default on
• Cloud recording passwords
• Secure account contact sharing
• Dashboard Enhancement

Zoom Webinar Customisation

One unique perk of using Zoom for your webinar is the ability to customise the attendee email! As webinars require all attendees to register, this ensures that only the webinar will only involve those who have been authorised. There is also the option for you to lock the webinar once all attendees have joined to ensure that you don’t receive any uninvited guests.

Upon registering for the webinar session, Zoom will contact the attendee via email with the details of the webinar along with the link to join.

As shown above, you’re able to customise these aspects of the email :

• Email subject
• Banner graphic
• Event title
• Introductory text
• Admin email
• Footer text

Editing the text and including your company logo may not sound like it can make that big of an impact, but it can really make your webinar session seem much more professional.

Zoom alternatives

FaceTime

• Only applicable for Apple users
• Limit of 32 participants

Google Hangouts Meet

• Limit of people in call depends on G Suite subscription plan type
  • Basic Plan: 100 participants
  • Business: 150 participants
  • Enterprise: 250 participants
• Able to Screen share and present
• Able to record meetings
• Educators can even use Google Meet inside Google Classroom
• You can read more about Google Meets Live Stream here!

Skype 

• Free
• Limit of 50 participants
• Able to Screen share
• Able to send files
• Skype translator available

Microsoft teams

• Limit of 250 participants in meeting
• Able to Screen share
• Able to record meetings
• Limit of 10,000 viewers for live events

Discord

• Free
• Limit of 10 participants
• Able to Screen share

StreamYard

• Free
• Limit of 10 participants in the broadcast call
• Able to Screen share

While we use these softwares to communicate with others, we should always be vigilant and do our part in being responsible in the cyber world too. We hope that this article has been helpful to you! Let us know what web conference software you’re using in the comments below!

Planning to host a live stream or webinar? Consider reaching out to Vivid Snaps, a live streaming service provider in Singapore.

References:

• Statistics for Zoom’s active users
• Google bans employees from using Zoom
• MOE allows Zoom for lessons
• Zoom’s Security issue timeline
• How to protect your meetings
• Zoom’s security update

====================

Writer: @furdoors