It has been a roller-coaster few weeks for Zoom, the video conferencing platform. At the end of last year, the company had 10m users, in the post-COVID-19 world, it has racked up 200m daily users.
Following its incredible rise, it has attracted complaints from security experts claiming that its security measures fall some way short of what’s required of such a popular platform. This week, things took another step with giants such as Standard Chartered and Siemens advising staff not to use the platform.
So, is Zoom safe for regulated firms dealing with critical financial information? Our in-house tech expert Pat Cunningham takes a look…
Zoombombing
One of the most publicised security concerns around the Zoom platform involves uninvited users jumping onto a group meeting, which has coined the phrase: ‘Zoombombing’.
Horrendous stories have been circulating the Internet of people Zoombombing Alcoholics Anonymous meetings and shouting abuse, or jumping onto school lessons and hurling racist chants or broadcasting porn.
The fact that certain people get a kick out of this behaviour baffles me, it’s just awful, but that’s another discussion. The main point here is that a conference call platform shouldn’t really allow this sort of thing to happen.
Aside from the hugely offensive acts that have been making the headlines, this obviously presents a huge security concern. If you are working on behalf of a business, discussing confidential matters with a client, you obviously don’t want unwanted parties getting involved!
The issue is that, up until recently, Zoom’s default settings allowed uninvited users to join a call. In fact, it was as easy as simply Googling “site:zoom.us” to find a list of meetings that you could potentially join.
However, they have closed this loophole now, enabling the ‘Waiting Room’ feature by default, which gives the meeting owner the power to reject unknown parties before they can join the meeting.
If you don’t have the ‘Waiting Room’ feature enabled, you should enable it now.
In addition to this, you should try to avoid using your personal meeting ID all the time. If you are inviting new users to your call, then generate a unique ID specific to that call, which will make it harder for uninvited users to find your meeting URL. Zoom has provided a useful video in this regard.
There are various other options available to mitigate the risk of uninvited users, including the ability to prevent the meeting from starting until the organiser is present, or the ability to deputise co-hosts in case you go offline and someone else needs to step in to deal with any situations that arise.
Bearing the above points in mind, Zoombombing, in particular, shouldn’t be a huge concern for banks or regulated organisations where confidentiality is important, as long the meetings are run properly.
That said, however, other platforms such as Microsoft Teams or GoToMeeting have never suffered from this phenomenon, which does say something.
Encryption
The other major issue that firms have with Zoom is the encryption, and this is a valid concern.
Despite Zoom claiming that its communications are highly secure, an independent review found that the reality was actually quite different.
Rather than using standard industry-grade encryption for its communications, Zoom has rolled out its own scheme, which is rather sub-par. To start with it uses AES-128 encryption rather than AES-256 as described on its website, and the key is also used in ECB mode, which preserves patterns in the encrypted output.
A single key is shared amongst all members of the meeting, and in some cases, was routed through servers in China, even when no members of the meeting were in China. Zoom’s response to this was that this was a bug in its systems, which has now been resolved.
It is likely that the company has implemented this alternative approach to encryption to help the speed of the connection, as video conferencing is notoriously unreliable. However, in its quest for speed, the company has compromised the security of its product.
History of Security Issues
Zoom has come under a lot of scrutiny recently, mainly because of its massive increase in users, however also because of its track record on security which hasn’t exactly been strong.
Recent security issues include:
- Implementing a Facebook data collection feature on its iOS app without the user’s permission
- Sending user analytics data to Facebook without the user’s permission
- A data mining feature on Zoom allowed some participants to access LinkedIn profile data from other users
- An automated tool could be used to find Zoom meeting IDs that aren’t protected by passwords
- Thousands of video call records were found unprotected and publicly available on the web, including private therapy sessions, small business meetings and elementary school classes
- It was discovered that 500,000 Zoom accounts were up for sale on the dark web and hacker forums, indicating a significant data breach
So, should we Zoom?
Having been using Zoom for various family gatherings over the last few weeks, and the odd client meeting, I was keen to look at rolling out in my own business.
The Zoom UI is simpler than any other I have used, something even my mother-in-law has used without any difficulty. Given that she sends editable PDFs to me to fill in on her behalf, this is quite impressive.
Zoom is also the most stable video conferencing platform I have ever used. Gone is that frustrating 10 minutes of faff at the beginning of every meeting while everybody attempts and fails multiple times to get online. Gone are the people dropping out constantly and the ever-present sound difficulties.
However, looking at Zoom’s record with security, I can see why firms are steering clear. From a cyber-security and GDPR perspective, Zoom is heavily tainted, and I certainly won’t be going anywhere near the platform for any discussion that is remotely confidential.
I’ll probably still use it for our weekly family quiz night though, as I couldn’t face the prospect of trying to get my mother-in-law onto GoToMeeting.