There has been quite a trend in recent years of companies going from zeroes to heroes to villains in a short space of time: think Uber and WeWork.
Unsustained growth can pose problems, particularly if you do not take cybersecurity seriously.
Enter Zoom. Its fast growth caught the attention of bad actors and security researchers alike. Here are just a few of the recent security issues that have been raised.
- Sending IOS user analytics data to Facebook, even when the users didn’t have Facebook accounts.
- Mining LinkedIn details and surreptitiously sharing them with certain meeting participants.
- Making spurious claims about their end-to-end encryption (spoiler alert: it isn’t).
- Harboring bugs that could lead to password theft, which would grant access to the webcam and microphone, and root access to MacOS desktops.
- Leaking users’ email addresses and photos.
- Routing non-Chinese calls through servers in China.
- Storing meeting recordings on the open web.
- Zoombombings. Say no more.
It kind of reads like a list of the Seven Dwarves of Worst Development Practice: Sneaky, Devious, Misleading, Careless, Sloppy, Greedy (of course), and the one that everyone forgets, Facepalm.
Am I being too harsh here? No, not really. It’s easy to say ‘Well, the number of daily meeting participants went from 10 million to 200 million in a month’. Yes it did, but it still started from millions.
As CEO Eric Yuan said in his press release on April Fool’s Day, apparently without realizing the irony, “our platform was built primarily for enterprise customers”. Were that the case, why green light a product to be used outside its intended market?
The issue is that Zoom is popular for a reason and chances are you or your employees are already using it. The company has addressed many issues, acknowledged others, and has announced measures to rectify the situation. I’ve read they are hiring Alex Stamos (ex-Facebook) as chief security guru and are stopping new developments to focus on security implementations – all good stuff. After all, they don’t want to lose any more government and big business clients!
But know there are other options out there.
But how do you make sure you’re using Zoom in a way that minimizes risk, both risk to your security posture and the chance of an uninvited participant wreaking havoc? Here’s a few tips:
- Generate meeting IDs automatically rather than using your Personal Meeting ID (PMI). Your PMI is permanently linked to your account and if it gets around there’s an always increasing chance that it could fall into some nefarious person’s hands.
- Require a password to join all meetings. Even if your PMI has become more public than you think, requiring a randomly generated password makes it much less likely that a Zoombomber will go to the extra trouble involved in trying to access your meeting.
- Use the Waiting Room. Ensure that only the people you are expecting to join are actually allowed into the meeting.
- Use a co-host. Their job can be to monitor the participants, make sure no one unexpected has turned up, and kick out anyone being disruptive.
- Turn off participant screen-sharing. Avoid any surprise interruptions by people who have er… ‘questionable’ content of their own that they would like to share.
- Make sure your users only download genuine Zoom software. If you can’t automatically roll out the legit version or otherwise require IT administrator input then insist users download only from the official Zoom website. Along with all other Coronavirus scams, fake Zoom malware is on the rise as people need to meet remotely.
- Lastly and most importantly, keep the software up to date. Changing various other security settings to block unwanted participants won’t help if you’re leaving other vulnerabilities unpatched. That could prove much more damaging.
If you decide to ditch Zoom as a result of all the bad press, remember that any platform could have similar issues. It’s the rapid rise in popularity that brought the problems to public attention, and to their credit Zoom have realised they need to deliver on their promises fast. This might even make them the safe, go-to option in the future.
If you have any questions about how to roll-out and use Zoom safely in your organisation the experts at TBG Security will be happy to help.