If you're using Zoom video and audio conferencing for business, you need to think about adding secure layering
The UK government’s use of the video conferencing app Zoom has flagged the importance of online security and privacy, once again. Global lockdowns due to the spread of the Covid-19 virus have led to a massive hike in the use and popularity of Zoom (https://www.theguardian.com/commentisfree/2020/apr/04/its-time-for-zoom-to-look-at-the-bigger-picture), however, important concerns about its security and safety hit the headlines during the first week of April mainly as a result of the government holding Cabinet meetings and discussions via the app.
How government use of Zoom video conferencing flagged up poor security measures on the app
Zoom launched in 2011 and offers free or paid meeting/conferencing facilities. By December 2019, the app was used by about 10mn consumers across both sides of the business. There was no way the company could have foreseen how use would balloon during the coronavirus epidemic. By March 2020, more than 200mn users were registered and active on the app (https://www.bbc.co.uk/news/technology-52133349). In much the way that the word “Google” is a recognised verb denoting online search, the word “Zoom” has become synonymous with online video conferencing. The app’s popularity has seen the company share price more than double through March, at a time when most shares are dropping like a stone.
It goes without saying, of course, that in this day and age, security and privacy of all Zoom users should have been paramount, and using the app for UK government Cabinet meetings highlighted just how weak the app is in this respect.
When Prime Minister, Boris Johnson, tweeted an image of him using Zoom conferencing which showed the current meeting ID in full, issues surrounding privacy and what’s known as ZoomBombing became headline news around the world.
What is ZoomBombing?
By the end of March 2020, Zoom was the most popular download for Apple devices and second most popular for Google Android. Individuals locked into their homes have used the app for audio and video conferencing with friends and work colleagues during the coronavirus epidemic. It’s an easy matter to download the app, and users just need the unique meeting ID to access any conference support.zoom.us/hc/en-us/articles/206175806-Top-Questions?_ga=2.87345304.1082240408.1586158405-1471049019.1586158405#h_bd83fa44-e32f-47b6-8fd6-0e2d1eb6077b This ease of use has led to the creation of another Zoom-related noun, “ZoomBombing”.
ZoomBombing refers to uninvited guests who join conferences on the app in order to abuse, vilify or spy on meetings. All these hackers have needed to join most meetings so far is the relevant ID. When Boris Johnson shared the Twitter image of his Zoom Cabinet meeting, the ID was clearly shown in the corner. Although it’s possible to add another security layer to conferencing by password protecting, in practice many users don’t carry out this simple privacy solution.
Added security concerns with the Zoom app
It’s not just ZoomBombing that’s a concern for privacy experts, however. An article in The Guardian newspaper on 2 April was written under the header: “Zoom is malware”, and highlighted many more pertinent privacy issues raised by the app, alongside concerns that the app was “fundamentally corrupt”.
Issues include:
Lack of end-to-end encryption
Although Zoom advertises that it uses end-to-end encryption, this claim is actually false. Zoom apologised to users for any incorrect suggestions that secure encryption was in place and stated that it is not presently possible with the platform.
Variety of important security flaws
A range of security issues with Zoom have been reported over the years. This includes the fact that the site fitted a clandestine web server on user devices in 2019, enabling individuals to be added to calls without express permissions. In addition, in the first week of April security researchers found a bug which could enable illegal hackers to take over the Mac device of any user, even to the extent of hacking the mic and webcam.
US officials, headed by the New York Attorney General, have been pursuing this issue and all other concerns with Zoom, and the company said that the latest software had fixed the issue with Mac (https://www.theguardian.com/technology/2020/apr/02/zoom-technology-security-coronavirus-video-conferencing). However, Arvind Narayanan, a computer science professor at Princeton commented that: “The number of issues with Zoom in the past make it as bad as malicious software.” He went on to add: “Let’s make this simple. Zoom is malware.”
Surveillance trackers within the app
With its in-app surveillance (known as attention tracking), hosts have the ability to see when any user clicks out of the Zoom box for more than 30 seconds. This is a work/learning feature which enables employers to check out if users are paying attention during conferencing, or allows teaching staff to see if their students are remotely attending to class or seminar presentations.
Onward sale of user details and data
And finally, reports are also indicating that Zoom is selling on iOS user data to Facebook, even in circumstances where the app user doesn’t actually have an account with Facebook.
The sale of user data is cited in a lawsuit which was filed in California in the first week of April, which accuses Zoom of “failing to properly safeguard the personal information of the increasing millions of users” on the platform.
Are you using Zoom for business conferencing during lockdown?
If you’ve been advised to use Zoom for at-home work purposes, you’re well advised to draw these issues to the attention of management teams and IT departments. Zoom has published some answers to the queries raised by the New York Attorney General on its website. However, as the old saying goes, “If something looks too good to be true, it probably is”. It may be a good idea for any business to think twice before trusting this provider to offer private and secure video conferencing.