We at HONEST Security know that with many schools now being canceled for the remainder of the year, there are a lot of questions when it comes to digital learning and working from home. We have seen many concerns recently rising in regards to security and privacy. While it has always been of paramount importance to prioritize such things, it is now abundantly clear and on everyone’s radar. We couldn’t be more thrilled!
One specific tool on everyone’s minds has been Zoom video conferencing. We recently received messages from both our kids teachers and have seen many people talking about no longer using Zoom.
We want to write this in hopes of spreading education and awareness rather than more fear and panic. There is no reason for anyone to tell you to stop using Zoom and use something else in its place. All software is subject to vulnerabilities, and Zoom is no exception.
HONEST Security has recently assessed other video conferencing solutions and has found the same types of vulnerabilities and worse. We are confident that if these other video conferencing companies were rigorously tested in the way zoom was, they too would be found just as vulnerable.
That being said, as security professionals we want to offer some reassurance and guidance when using Zoom.
1. To help mitigate concerns use the Zoom web client over the native desktop client that you download and install to your machine. The native desktop client violates user privacy by covertly divulging meeting participants’ system data to meeting presenters. More details about Zoom’s web client and how to enable and use it as both host and participant can be found at the following URL https://support.zoom.us/…/articles/214629443-Zoom-web-client
2. Be sure to use Zoom meeting passwords to protect scheduled meetings. This will prevent Zoom bombing based attacks. Where malicious attackers attempt to connect to arbitrary Zoom meetings by exhausting the meeting ID keyspace (number of total possibilities). Adding passwords extends the total keyspace size, which increases the cost of Zoom bombing attacks.
3. Zoom Meeting IDs – avoid publicly sharing zoom meeting IDs and complete Zoom meeting URLs/links. Furthermore, meeting hosts should allow Zoom to generate random meeting IDs for each scheduled meeting, and should simply avoid using Zoom’s personal meeting ID feature where the meeting ID is user configurable.
4. Use Zoom Waiting Rooms – waiting rooms are a means for screening meeting attendees before admittance to the scheduled meeting. The feature effectively limits unintended users from accessing the live meeting feed, even if they are to be successful in a Zoom bombing attack.
In response, Zoom is bolstering their security efforts by ceasing new product development and dedicating the next 90 days to enhancing product security and privacy. We here at HONEST applaud Zoom in the prioritizing of essential security measures. We hope this spurs many others to follow in their footsteps.
If you have any security questions or concerns please feel free to reach out to us. It is our passion to spread awareness and education to everyone. You can head over to our facebook community group “HONEST Aware and Share” for further security alerts and updates!
Until next time, Stay vigilant Security Warriors!
-The HONEST Security Tribe