There are multiple videoconferencing platforms out there, but unless you’ve been practicing social distancing from your phone, tablet and laptop as well as people for the past few weeks, the one you’ve been hearing about is Zoom.
That’s in part because Zoom has been one of the most popular of its kind for a while — for good reasons. It’s relatively easy to use, and it has a basic tier that is free. DGI ranked it first on its list of the “7 best video conferencing software platforms for 2020.”
But it is also because when the ongoing pandemic sent millions of workers from their offices to their homes, the number of people using Zoom daily, according to CEO Eric Yuan, skyrocketed from an estimated 10 million to more than 200 million and rising. What company wouldn’t celebrate a 20-fold increase in its customer base?
Not to mention that, as the Motley Fool reported, while the rest of the market was crashing, Zoom’s stock rose 145% in the first three months of the year. Of course, it then sank during the past couple of weeks, after its explosive growth led to a torrent of scrutiny from both good and bad guys.
In a twist on the old Willie Sutton line about robbing banks “because that’s where the money is,” hackers increasingly focused on Zoom because that’s where millions more potential victims are.
And after widespread tech media reports about one attack method, the Boston office of the FBI issued a warning on March 30 about “Zoom bombing” — conferences being “disrupted by pornographic and/or hate images and threatening language.”
The agency, along with the U.S. attorney for Eastern Michigan, later issued a warning to Zoom bombers, threatening them with prison time for committing a federal crime. However, given that authorities are releasing convicted criminals from prison due to the pandemic, that may be perceived as an empty threat.
But that led to other fallout. Besides the risk of Zoom bombing, multiple reports on both security and privacy risks on the platform prompted the New York City schools to ban its use for remote teaching.
Ironically enough, while the obvious intent was to protect students and faculty, the school district could have done that without banning Zoom, simply by using available tools on the platform that don’t require genius-level tech or security skills.
“Hijacked Zoom calls is a preventable problem,” said Tim Mackey, principal strategist at the Synopsys Cybersecurity Research Center (CyRC).
“It starts with ensuring that meeting IDs and individual usernames are kept private. This is partly due to the way modern web conferencing systems work — users often have ‘personal’ rooms with predefined connection parameters.”
Meeting hosts can also require passwords. That doesn’t eliminate risk but reduces it, Mackey said. So users should lock their rooms once all anticipated attendees have “arrived.” When in doubt, the 5- or (if you’re feeling generous) 10-minute rule is worth implementing for stragglers.
Jonathan Knudsen, senior security strategist at Synopsys, added that a password needs to be complicated, including “letters, numbers and symbols that is long enough that it would be very difficult to guess.”
“Also, be careful about sharing the meeting information, and finally, monitor the attendee list during the meeting to make sure you don’t see anyone unexpected,” he said. In other words, don’t share your video conference invite links on social media or take screenshots of your in-progress call (a la UK Prime Minister Boris Johnson).
Knudsen also recommended being careful with meeting recordings. While users can’t control the level of encryption, it is possible to require a password or other authentication to view them. “And be careful about distributing the recording information so it does not fall into the wrong hands,” he said.
Indeed, that kind of care should be taken with any similar platform.
Responding to the criticism, Zoom is also taking multiple steps to address its problems. Among them, the meeting ID no longer appears in the app title bar. And it is getting some positive buzz on social media for forming a “security advisory council” to address vulnerabilities in the platform, including former Facebook and Yahoo CSO Alex Stamos.
Be cautious, be wary
On the privacy front, virtually all video conferencing platforms collect, store, and in some cases share user data with advertisers. So the same cautions that should be applied to all online applications hold true for video conferencing. Be wary of the files and types of information being shared.
While people have to work with the online resources that are available in work-from-home conditions, be sure that sensitive materials are being transmitted via secure channels that your organization has approved.
Keep in mind that nothing is totally private in the online world. You might not care if a few people overhear your conversation in a coffee shop, but on the internet, it’s possible for people on the other side of the country, or the world, to hear or watch you. It’s healthy paranoia to realize they really are out to get you.
For schools, best security practices include locking the room once students are in attendance. Do not share links to your video conference link or classroom on an unrestricted or publicly facing resource (i.e., social media). Instead, distribute the link directly to those who are expected to attend. There are also settings to manage screensharing options. Teachers should use “Host Only” video sharing settings.
Finally, make sure to use the most up-to-date version of any app, operating system or platform. Video conferencing platforms issue patches and updates regularly, which usually include security and privacy enhancements.
Remember, security isn’t an endpoint. It’s a process that evolves along with the threat landscape and technologies. “If there are ways for a company to improve, we should notify them and if they don’t fix their issues, we should call them out,” tweeted David Kennedy, CEO of Trusted Sec. “[But] we should not be putting fear into everyone, and leveraging the media as a method to create that fear … It creates hysteria when it is not needed.”
The bottom line is that security isn’t one-sided. Companies that want to connect with consumers (and virtually all of them do) should strive, especially at a time like this, to improve their security and make their privacy policies transparent. But users of these platforms can and must help themselves as well, especially when there are tools available to do it.