5 Zoom Vulnerabilities – How To Avoid Doom With Zoom
April 6, 2020 by Scott Addison
5 Ways to Avoid Doom with Zoom
In Part 1 of “Is Zoom Safe – Keep Your Meetings Secure During COVID-19,” we discussed basic practices to keep unwanted eyes and ears out of your Zoom meetings. In part 2, we explore 5 of the most common and/or concerning Zoom vulnerabilities, and how to manage them.
1. Zoombombing
Zoombombing (an addition to our lexicon coming out of the COVID-19 isolation) is the act of hackers jumping into meetings, taking over the screen, and displaying inappropriate content.
The problem here is that Zoom defaulted to lesser protection/restrictions for ease of use. The ability to avoid these miscreants was always there, but it requires some setup by the user. Here are a few ways to avoid being Zoombombed.
- Do not use your personal meeting ID repeatedly for business meetings.
- Always use a password for your meetings.
- Do not publish the link to your meeting in a public forum.
- Prohibit attendees from sharing their screen.
- Turn on Waiting Room feature to control when a participant joins the meeting.
- When hosting, keep the Participant list visible to keep an eye on unwanted guests.
2. Not So Secret Recordings
Recording a Zoom meeting is a convenient feature, but hackers have been able to discover recordings of meetings (business meetings, children’s school meetings, intimate meetings) on the internet with a simple Google search.
This can happen when the person recording the meeting saves the file to an unsecured cloud server. Zoom’s naming scheme for all recordings is formulaic and easily guessed. Therefore, a simple search of a portion of a name can find any recordings that have been saved in a publicly-available domain.
Here are a few ways to keep unwanted eyes and ears from your Zoom recordings:
- Think before you record.
- If you record, do not save the file to a separate, unsecured location. Zoom says that their servers are secure (skepticism is encouraged here), so consider just saving to their default servers (none of the discovered recordings came from within the Zoom environment).
- Best practice is to always save to a secure location that is encrypted and requires multi-factor authentication (think OneDrive, iCloud, Dropbox, etc.).
- Always change the name of the saved file.
3. Espionage/Big Brother
Some reports claim that the encryption keys used for Zoom meetings may be, at times, generated by servers located in China and that Zoom may be required to provide the Chinese government with encryption keys. Some of these reports tend toward the conspiracy theorist’s line of thought. However, this also brings in the nomenclature of end-to-end encryption versus endpoint encryption. Zoom has been criticized and has acknowledged that it misled the public by claiming that it uses end-to-end encryption when it was actually using endpoint encryption.
With endpoint encryption and the data moving through servers operated by Zoom, Zoom actually has the ability (potentially) to decrypt the data as it passes through its servers. This is concerning as they would be able to turn over that data to a governmental entity. While the endpoints (users) are completely encrypted, the data can potentially be decrypted as it passes along the path. Microsoft and Apple also route the video calls through their servers, but they claim that they do not have the ability to decode the data because they employ true end-to-end encryption rather than endpoint encryption.
So, if you have something that is so sensitive you don’t want the Chinese government to know about it, pick up the phone. In fact, you probably already have restrictions in place that would dictate what platforms you are permitted to use. Otherwise, most of us are still on the low-risk side of the scale and have similar exposure as we would using FaceTime, Skype, or other platforms that use that platform’s servers.
4. Sometimes I Feel Like . . . Somebody’s Watching Me (Credit Rockwell, 1984)
In mid-2019, it was discovered that the Zoom app turned on a webserver on Macs. This created a vulnerability allowing malicious websites to pull the user into a Zoom meeting without his or her knowledge or input (via audio and even video).
When the Zoom application was installed on a Mac, it enabled a webserver process that allowed Zoom to be used in Safari (because Safari had some processes that are more restrictive than other web browsers such as Chrome and Firefox). Software developers discovered that the webserver processes installed by the Zoom application was “listening” and could be tricked into pulling the user into a Zoom meeting if a webpage had code embedded in it that triggered the webserver processes. The user never knew that he or she was pulled into the meeting or that bad guys could be listening or even watching (Apple has since fixed this problem.)
So, what else should you do to protect against prying eyes?
- Always keep your software and operating system up to date.
- Turn on the local firewall included in the macOS operating system.
- Use the privacy cover for your camera (tape, sticky notes, etc. work.) I prefer the slide thingy. Keep the camera covered unless you are using it.
- Be careful about what websites you visit. Try to be as intentional as possible about going to a website rather than clicking on random links.
5. Facebook Likes Your Zoom Shares
Facebook now invades every aspect of our lives and collects data anywhere it can ⏤that is certainly no secret. Therefore, it is no surprise that it would do so with Zoom. Zoom says that the information it shared with Facebook related only to the devices being used, and they did not share the user’s personal information.
Zoom has now removed the problem code and changed its login process involving Facebook to avoid this unauthorized sharing. You can avoid this problem by NEVER using the “Log in with Facebook” for any platform other than Facebook!
Several other issues have been reported and fixed and can be learned about on technical sites around the Internet. The bottom line is that Zoom got too big, too fast and subjected itself to massive attacks and probes. Earlier scrutiny and vulnerability testing would have been beneficial to the user. It still remains a reliable and fairly secure platform that many find to be superior in usability and feature-sets. They are clearly beefing up their efforts to identify and fix any security flaws.
Now, on to Zoom meeting 105.