The massive uptick in use of the popular video conferencing service Zoom has resulted in a rise in stock price, a class action lawsuit, and a huge opportunity for cybercriminals.
With phrases like “work from home” and “shelter in place” being used since the first COVID-19 infection in the U.S. on January 21st, organizations worked to quickly find a way to inexpensively connect their now-remote workforce to keep business going.
The scramble to transition to a digital workplace leveraging cloud-based tools was forced upon many organizations not ready yet to make such a drastic transition. Zoom conferencing (which offers a free version for meetings with up to 100 participants) became the tool of choice, growing its daily users from 10 million in December of 2019 to over 200 million in March. This caused Zoom’s stock price to jump from $68 on January 1st to a high of $159 on March 23rd.
But security flaws have plagued Zoom:
- The group chat features in the Windows client could be used to leak network credentials – by placing a UNC path (e.g., “\\<server>\<share>\<filename>”) the Windows client responds by providing the credentials of the logged on user under the assumption it’s trying to connect to another Windows machine and must authenticate to do so.
- Their Mac client had a security flaw that allows hackers to take over a Mac’s webcam, microphone and give root access to the computer.
- Zoom’s iOS client was sending device and IP address data to Facebook
- Security flaws were found in the MacOS installer with security experts calling it “malware-like”
Additionally, Zoom has been criticized for claiming that their platform uses end-to-end encryption when it did not. All issues have since been addressed by Zoom. And Zoom has committed to suspending new development and focusing on security and privacy.
As if that wasn’t bad enough, the massive uptick in interest in Zoom has been a playground for cybercriminals who have found various ways to take advantage of Zoom’s rise in popularity by a technically unsophisticated workforce. Some of the Zoom-related reports include:
- Over 3,300 new domain names containing the word “Zoom” have been created since the beginning of the year
- Reports of “Zoom-bombing” where uninvited attendees have joined meetings to either disrupt or to send malicious links via Zoom’s chat feature. This has caused enough of a stir to make the FBI issue a warning about it.
- Phishing attacks offering malicious “Zoom installers” as attachments are sprouting up
- A custom legitimate Zoom installer has been spotted in the wild that bundes cryptocurrency-mining malware inside of it
And, given the interest in Zoom isn’t waning, these attacks aren’t going anywhere anytime soon.
To top it all off, Zoom now faces a class action lawsuit for concealing the truth about application issues with software encryption, its alleged vulnerabilities, and unauthorized disclosure of personal data to third parties including Facebook.
With the known security flaws fixed, Should you use Zoom and, if so, how can you use it safely?
As long as Zoom stays focused on making the most secure platform it can, there’s little reason to jump ship. There are a number of best practices you should follow when using Zoom – or any other video conference service:
- Only use the official Zoom website and app – the URL for Zoom is “zoom.us” and the app is ZOOM Cloud Meetings. Zoom also has a number of other versions for specific clients. Just be sure it’s actually a Zoom app!
- Require a Meeting Password – This applies when you’re having a meeting with specific attendees. If you are holding a meeting where the general public can attend, this isn’t needed. Zoom defaults to a 6-digit password; longer passwords are better.
- Skip your Personal Meeting URL – Scheduled meetings use a unique URL each time. Your personal URL remains the same – and, if you didn’t follow best practice #1 and the URL is leaked, you can have someone unwanted joining your personal meeting (“Zoombombing”) without warning.
- Use the Waiting Room – rather than just have attendees with the meeting URL and password join, Zoom offers an ability to have them first placed in a waiting room where you as the presenter can verify who is attempting to join, only allowing in those you want.
- Make Attendees Provide Full Names – We’ve seen malicious URLs be posted in the chat window. Making certain proactively that each person attending should be there starts with requiring that they provide full names. If needed, you can remove a unknown participant and ask them to rejoin, providing their full name.
- Disable Video and Mute Attendees – Zoombombing involves someone joining and then disrupting the meeting. You have the option of disabling video for all attendees when creating a meeting so only the host is visible. During the meeting, the host has the option of muting all attendees as well. By default, Zoom will switch video to whomever is speaking, so disabling video and muting attendees will keep the focus on the host.
- Disable Screen Sharing – Staying on the Zoombombing theme, disabling an attendees ability to share their screen is another way to keep attendees focused.
- Lock the Meeting – Once everyone who is expected to attend is in the meeting, you can manage your participants within the meeting and use the Lock Meeting option to disallow anyone else from joining.
- Update Zoom – with their promise to focus on security and privacy, it’s likely more vulnerabilities will be found and even publicized. So, keep your client up to date to ensure the latest security flaws have been addressed.
In addition, organizations need to address the Zoom-related phishing scams and impersonated domains through continual Security Awareness Training to educate users on current attack trends. Zoom is a great example of “today’s attack”; tomorrow’s will leverage another trend, theme, news story, etc.
By stepping your users through new-school awareness training and having them adhere to best practices when using any video conferencing solution, the organization remains secure with users remaining vigilant at the logical perimeter. KnowBe4 is still using Zoom and will continue to do so, securely.