For our regular users, we understand that Zoom is not a Microsoft product and isn't something we would normally cover, however, on occasion we feel that it is important to cover other topics that may be of interest to our users. With believe that some of the recent security updates from Zoom are important and something we want to share with you.
By now, most of us have probably Zoomed, especially since the Coronavirus pandemic has forced most of us to stay and work from home over the last few months. Video meeting tools like Zoom, Microsoft Teams, and Google Meet have seen skyrocketing usage, including Zoom who saw their usage grow from 10 million meeting participants monthly in December to nearly 200 million in March.
Because of Zoom's newfound popularity, it has come under increasing scrutiny due to privacy risks including everything from built-in attention-tracking features to "Zoombombing." For those that don't know, Zoombombing is where an uninvited attendee breaks in and disrupts the meeting, and from the company's perspective, Zoombombing is a public relations challenge as the app has become a target for hackers, cybersecurity experts and now attorney generals who are investigating the company. While it could be argued that Zoombombing is the result of bad behavior, the company's design choices and initial responses to some of the issues created the situation that they are in today.
To show the seriousness of the situation, the FBI has issued formal warnings about the user of Zoom, companies like Tesla have mandated their employees not to use Zoom, Germany and Singapore have warned against using Zoom, and even U.S. Senators have sent letters to the FTC to investigate the company.
While the actions of these companies and organizations are severe, the number and severity of the security issues that have been identified are a cause for real concern.
- March 26 - Zoom iOS app sending user data to Facebook including users who did not have a Facebook account.
- March 30 - Zoom doesn't use end-to-end encryption as promised
- April 1 - Zoom application leaks users email addresses and photos to strangers
- April 2 - Automated tools can find Zoom meetings
Automated Zoom conference meeting finder 'zWarDial' discovers ~100 meetings per hour that aren't protected by passwords. The tool also has prompted Zoom to investigate whether its password-by-default approach might be malfunctioning https://t.co/dXNq6KUYb3 pic.twitter.com/h0vB1Cp9Tb
— briankrebs (@briankrebs) April 2, 2020
- April 2 - Data-mining feature discovered that let some users have access to LinkedIn profile data about other users
- April 3 - Zoom video call records left viewable on the web.
- April 5 - Zoom calls "mistakenly" routed through Chinese whitelisted servers
- April 6 - Zoom accounts found on the dark web including large education institutions, and a major US health care provider.
Fast Company's recent article describes the core issue as now being one of trust and whether a user can now use Zoom without fear of disclosure of chats, audio, and video from those meetings. One of the primary issues they highlight is around encryption as the company has confirmed that data is not fully encrypted end-to-end and doesn't meet the industry standards when compared to other leading systems like Apple's iMessage, Cisco Webex and Signal.
Improving Security But Not Enough
Zoom is proactively responding to security concerns and attempting to rebuild trust while maintaining the features and capabilities that have made it so popular in the first place. On April 8th, Zoom released multiple updates including several security updates that include a new security control for meetings and removal of meeting IDs in the toolbar, as well as a live AMA with CEO Eric Yuan.
Removal of Meeting IDs
Zoom believes they can reduce Zoombombing by removing the meeting ID from the toolbar and instead the title will simply show “Zoom” for all meetings, preventing others from seeing active meeting IDs when, for instance, Zoom screenshots are posted publicly.
The new security icon gives is only visible to hosts and co-hosts of Zoom Meetings, the Security icon provides easy access to several existing Zoom security features so you can more easily protect your meetings.
By using the Security icon, hosts and co-hosts now have access to an all-in-one place to quickly:
- Lock the meeting
- Enable the Waiting Room (even if it’s not already enabled)
- Remove participants
- Restrict participants’ ability to share screens, and annotate shared content
Other Security Updates
The Zoom team also updated several features for specific account types:
- Waiting Rooms - the Waiting Room feature is now on by default for free Basic and single licensed Pro accounts, as well as education accounts enrolled in our K-12 program.
- Passwords - meeting passwords are on by default for free Basic and single licensed Pro accounts, and for education, accounts enrolled in our K-12 program. The default setting cannot be changed for those education accounts.
- Domain Contacts - for free Basic and single licensed Pro accounts with unmanaged domains, contacts in the same domain will no longer be visible. We’ve also removed the option to auto-populate your Contacts list with users from the same domain. If you would like to keep those contacts, you can add them as External Contacts.
- Renaming participants - account admins and hosts can now disable the ability for participants to rename themselves (for every meeting) at the account, group, and user level in the web portal.
90-Day Security Plan
Zoom is working proactively to deal with security and privacy concerns over time as well. Zoom has implemented a 90-day plan focused on bolstering privacy and security for Zoom users and the first step in this plan is a complete security review of the platform with Alex Stamos as an advisor to the company. Zoom will host webinars every Wednesday to update their users and community on the most recent privacy and security updates.
More to Come
While it is great to see the being taking a proactive stance addressing some community concerns will be difficult to address in the near term. Based on some early results, many in the community believe the company is working to make improvements including corporate security consultant Rapid7 wrote, "engineers, marketers, and leadership at Zoom are neither evil nor dumb. You can judge Zoom based on their responses to security issues." Zoom will ultimately fix its flaws, update its position about its work in China, and hopefully get ahead of future problems before others discover them. But in the end, users will decide if it is enough. Tell us what you think and whether you think Zoom is doing enough to address your concerns around security.