Zoom: what are the problems?
There are some major issues with the Zoom Videoconferencing platform at the moment. I will discuss the worst of them, and provide some ideas to help users secure against them.
Zoom Bombing
Zoom bombing is when uninvited users guess the meeting ID for a meeting to which they are not invited. These malicious users can then become a nuisance to the other participants, posting objectionable images, offensive speeches and the like. While an admin can mute these miscreants, once the meeting ID is known, they can simply return with new IDs over and over. There have been a large number of very public incidents involving this. It is also the easiest issue to control by carrying out the following:
- Stop participants from sharing their screen
Click the arrow next to “Share Screen” in the host controls at the bottom of the Zoom screen, then select “Advanced Sharing Options” and make sure the option to “Who Can Share?” is set to “Host Only.”
- Control who enters a meeting with the Waiting Room feature
This puts all participants in a waiting area before the meeting starts, and you can admit them one by one, or all at once. You can enable it by going to Account Management > Account Settings > Meeting > Waiting Room. More Waiting Room information is available at Zoom.
- Lock the meeting after it starts
This is harsh to latecomers, but it keeps out some gate-crashers. Click “Manage Participants” at the bottom of the Host screen and select “Lock Meeting.”
- Turn off File Transfer
This will stop jerks from uploading porn through the in-meeting text-chat function. Go to Account Management > Account Settings > Meeting > File Transfer.
- You can also enforce things like passwords required to attend
You can set a password for meetings that use the personal meeting ID. This can be found within the Settings under the Meetings tab.
Leaks of email addresses and profile photos
The way Zoom is designed; everyone sharing the same email domain is grouped into the same “Company” folder, where lots of unexpected information can be viewed. So if users use the same basic ISP issued email domains (such as rocketmail.com, or frontiernetworks.com), then they can view profile pictures, and email addresses of others with that same domain.
A poor security practice, but if Zoom bombing has been kept to a minimum, not a terribly large risk.
Sharing of personal data with advertisers
Zoom’s Terms of Service basically allows Zoom to do whatever it wants to do with the personal information shared with it. Though they have rewritten the worst pieces of it, a quick review by some attorneys I work with gave them pause. It may be that Zoom isn’t going to sell all of the data to advertisers and the like, but I wouldn’t count on it not happening.
Security flaws of Zoom
Windows password stealing and Malware Injection
The side bar chat rooms supported by Zoom would allow malicious users to send a phony link that, if clicked on, would allow the user to steal the windows password from their victims. It could also be used to force a remote machine to install virus ridden software, or malware.
Supposedly, this has been patched, but I am waiting to hear from more sources than Zoom to confirm.
To avoid this, either disable the zoom chats, or warn chat participants to NOT use them, and to certainly not click on any links within the Zoom chats!
Phony end-to-end encryption
Zoom has been using the term “End-to-end Encryption” in their marketing to provide a sense of security to their users. However, their marketing is a lie. In the IT world, “End-to-end” encryption means that the data being sent is encrypted and secured at the source (usually a users phone or browser), and sent to the server still encrypted. The server then forwards the data to the receiving client at the other end (the other users in the chat), with the server in the middle UNABLE TO DECRYPT THE DATA. This means that services that use end to end encryption cannot eavesdrop, cannot sell the conversation data etc.
This is NOT how Zoom works. Data is sent to Zoom servers where it is decrypted, and stored UNENCRYPTED. So as a platform, Zoom is being very dishonest about what it is doing with your data.
There is no fix for this.
Final thoughts on Zoom
These are the major issues with Zoom I am aware of. There is another issue under investigation at the moment, where it has been suspected that Zoom is sending all of its security keys to the Chinese Government, making their encryption transparent to them, but I am also looking for confirmation of this. At this point, it is likely okay to use for simple video conferencing, as the most egregious bugs that would allow for remote theft of credentials have been patched. However if you are doing anything private, I would be concerned. Also, the company is being very suspicious about their behavior, so while they likely aren’t going to expose your computer to high security risks, they may sell what they can learn about you to advertisers ( but then so does Facebook).
Overall, I’d say it is okay but other free video conferencing platforms should be considered.
For smaller meetings, Google Meet (formerly Hangouts) is very good. I recently hosted a 40 member conference for a tech demo without an issue. But I also have a business account with them, so they might have more limited offerings for free chats.