‘Zoom-bombing’ a danger to meetings
● During this pandemic, many are connecting with Zoom’s videoconferencing app — including, on occasion, unwanted visitors.
Online trolls have been sneaking into web meetings and disrupting them with profanities and pornography. Cybersecurity researchers fear this could be a precursor to more harmful attacks.
“Much of our current reality is uncharted territory, and this growing dependence on Zoom at home is just another one,” said Mark Ostrowski, regional head of engineering for Check Point Software Technologies.
“As soon as a platform’s attack surface gets big enough, you can only expect that they’ll become more interesting to attackers. That’s what’s happened to Zoom.”
Zoom said it took security concerns “extremely seriously” and was working to address them. A Zoom representative said in an e-mail that the company had sought to educate users about protecting meetings.
Zoom also apologised for “the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption”. Though the company strives to use encryption in as many scenarios as possible, “we recognise that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it”.
But there’s good news. Users don’t have to follow Elon Musk, whose SpaceX has banned the use of Zoom Video Communications amid privacy concerns.
There are a few simple steps to host secure video meetings, according to security experts. For instance, ensure your meeting is password-protected, and don’t share meeting IDs and passwords on social media, where criminal hackers may grab them.
A rare winner?
Experts also recommend that meeting or classroom organisers take a roll call and kick out unwanted visitors.
Zoom’s shares have more than doubled this year as investors bet that the teleconferencing company would be one of the rare winners from the pandemic.
The company reached about 200-million daily meeting participants in March, according to its blog. But it has also drawn increased scrutiny from cybersecurity and computer privacy experts.
The most recent incident came this week when Patrick Wardle, principal security researcher at Jamf, which manages software for the Apple platform, published a blog about two new flaws in Zoom. He said that if already infected with malware, the Mac OS desktop version could enable attackers to gain high-level privileges and hijack the webcam and microphone. Zoom said it subsequently issued fixes for the problems.
Zoom appears to have been designed with security as an “afterthought”, Wardle said
Zoom said: “We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying and socialising from home.” It promised to improve.
This week the FBI warned about “zoombombing”, urging users not to make classes or meetings public.
A Zoom user is suing the company, claiming its services were illegally disclosing personal information.
The company collects information when users install or open the Zoom application and shares it, without proper notice, to third parties including Facebook, according to the US federal lawsuit. Yet, according to the complaint, Zoom’s privacy policy doesn’t explain to users that its app contains code that discloses information to others.
Zoom acknowledged that it shares data with Facebook.
Concerns over Zoom’s security practices are not new. Last year, a researcher, Jonathan Leitschuh, found that the desktop version of Zoom for Macs installed a web server that allowed hackers to access webcams. Apple plugged that security hole in July.
Holding Zoom’s “feet to the fire” around security and privacy problems amid the app’s new popularity would create incentives for the company to adapt its system, said Leitschuh.