Right now, it can be tough at times to be a Zoom user. That’s because bad actors have found holes in Zoom security and they’ve been busy exploiting it.
The Zoom security breach is exacerbated by the huge increase in business the platform has had recently; with COVID-19 at its peak, it seems everyone has turned to Zoom, relying on the platform to transition a new cadre of remote workers into communication ninjas. But “Zoombombing” is casting shadows on what should be a bright future for the video conferencing platform. Here’s how your company can fight back against cyber-criminals – or other pests – seeking to create Zoom privacy issues for your company.
Zoom Privacy, Zoombombing, and Other Zoom Security Issues
According to The New York Times, Zoom is under review by the Attorney General of New York for security issues; further reporting suggests Florida and Connecticut are also looking into Zoom security issues. That’s because a series of recent incidents and individuals drove attention to Zoom security flaws by “Zoombombing” unsuspecting companies, classrooms, or simple private conversations with obscene, hate messaging during customer video conferences.
The first Zoombombing incidents – unauthorized users joining a video meeting and spamming the conversation with bigotry, pornography, or other offensive content – came on the heels of other bad news for Zoom. They happened about a week after it was reported that the Zoom mobile app sends data to Facebook. In response, the New York Times reported some school districts blocked educators from using Zoom for student distance learning, citing Zoom privacy as a concern. Vice scolded Zoom, saying, “Zoom is not forthcoming with the data collection or the transfer of it to Facebook.”
Right around the same time, BleepingComputer reported that a Zoom security flaw allowed hackers to steal the Windows credentials of anyone who clicks into a link shared via the chat feature.
Vice countered with a report suggesting Zoom was leaking customers’ personal information, including email addresses and photos, to strangers. Zoom’s “Company Directory” setting automatically adds others to an end user’s shared lists of contacts if those users signed up with the same domain name. While that feature could be convenient if you’re one person in a corporate sea of people, customers that sign up with a personal email address from non-popular domains can be pooled with thousands of other people using those same free email services. Vice highlighted the Zoom security issue with Dutch domains xs4aa.nl, dds.nl, and quicknet.nl. (Yahoo, Gmail, and Hotmail are excluded from the issue.) To Zoom’s credit, they fixed the issue as soon as customers reported it.
These aren’t the first security incidents for the popular video conferencing platform, either. Last year, Vox reported on a Zoom security issue for Macs that allowed a hacker to turn on an end-user's webcam without their permission and join a Zoom call.
Zoom is currently working to update its platform. In a message on their blog, they state that they have updated their policies and are working to repair the issues as quickly as they can. (As we write this, some have been corrected.) In the meantime, there are a few steps that Zoom customers can take to protect themselves against Zoombombing.
Fixing Zoom Privacy Issues
The increased scrutiny around these Zoom security flaws are lessons for any video conferencing service. They couldn’t come at a more challenging time, as millions of people turn to these services to help them conduct business as usual during what has been some very unsettling times.
The good news is that Zoom has activated a number of protective features to help prevent Zoombombing, while actively working to fix any other Zoom issues that arise. Right now Zoom users can follow these recommendations to fix Zoom privacy issues:
· Set up waiting rooms. Go into Zoom web settings and set up a waiting room for your Zoom meetings. A waiting room is a virtual holding area for video conference attendees to enter before the call starts. This allows the host to validate each attendee.
· Manage participants. Go to the Zoom application window and click the “manage participants” button at the bottom. You’ll see “more” near the bottom right corner of the window that opens. Select “lock meeting’ to keep unwanted participants out.
· Block screen sharing. Go to Zoom web settings, where you can block meeting participants from taking control of what everyone sees or from sharing what’s on their computer screen.
· Practice safer social sharing. You also should never share your meeting login information publicly on social media.
· Use a unique code for external video conferencing. Zoom allows you to set up a Personal Meeting ID (PMI) that can be used over and over for recurring meetings. While this code is convenient for members of your team or anyone else you trust, it’s not a good idea to widely share the code with strangers. Instead, you can allow the application to provide you with a unique code for each meeting. You should use this feature any time you invite outsiders into your video call.
Other workarounds for any Zoom issues you might have include disabling the “Join Before Host” feature so people can’t come to the meeting early and cause problems. You can also enable a “Co-Host,” so two of you can manage how the meeting runs. TechCrunch says you should also disable “Allow Removed Participants to Rejoin,” so anyone that’s been kicked out can’t come back.
All of these tools can help ensure you don’t fall victim to any Zoom security issues. You should also set up an alternative video conferencing partner—just in case.
Having a Zoom Alternative—Just in Case
PC Magazine came to the defense of Zoom around the issue of Zoombombing, stating, “It wasn’t a technological weakness in Zoom that allowed these events to occur. It was a matter of the host not knowing all the features in the tool and how to use them.” While this is true, there are genuine Zoom security issues that need addressing (and are being addressed, thankfully). Security Boulevard has a laundry list of Zoom security flaws and concerns.
During this unprecedented time, we need every video conferencing service to be as secure and efficient as possible. From remote employees trying to maintain business as usual to K-12 educators and university professors, to even doctors providing telemedicine to their patients, video conferencing is now more than a commodity—it’s how we get things done.
Organizations seeking a reliable foil to Zoom should consider MegaMeeting or another video conferencing service to provide redundancy and increase security.
MegaMeeting offers clients numerous video conferencing best practices to help counteract Zoom security flaws. For example, our standard operating procedures include:
· A verified user option, which creates an encrypted key for each invited guest. This means only one user per invitation can get into the meeting.
· End-to-end encryption of all data, both in transit and at rest, by using standardized encryption protocols such as DTLS, SRTP and WSS protocols—to name a few.
· Explicit permission is required to access cameras and microphones using our tool.
· A browser-based system that requires no downloads. This is perfect for organizations concerned about downloading any app, like Zoom, that might inadvertently be a platform for malware or add vulnerability.
MegaMeeting is a secure alternative to your current video conferencing platform. Talk with our team today about how we can help.
MegaMeeting solves the biggest challenges of modern video conferencing. For users, it is an all-in-one platform that delivers both video conferencing and webinars in a single, simplified interface. For attendees, it is 100% browser-based, making it highly accessible; joining a meeting is instantaneous from a single click. For enterprises, it is highly customizable, with white-labeling options for a private branded solution. For developers, it is API-driven and easy to integrate.
Powered by WebRTC, Node.js, React, and GraphQL, it is a cutting-edge platform that is fun and easy to use for users and developers alike.