Recently, Zoom’s video conferencing software has come under some serious scrutiny for their security practices, with a current shareholder actually suing them on behalf of other shareholders, due to misleading claims of their end to end encryption. They've even gone so far as to recruit a former Facebook CISO to address security concerns, while current CEO Eric Yuan has issued an apology.
“Clearly we have a lot of work to do to ensure the security of all these new consumer use cases, ... But what I can promise you is that we take these issues very, very seriously. We’re looking into each and every one of them. If we find an issue, we’ll acknowledge it and we’ll fix it.” Yuan said as the company scrambles to adapt to its rapid increase of users.
The most common security issues seemed to have stemmed from ‘Zoombombing’ a prank where a stranger can screen share content (often explicit in nature) to participants on a call, simply by gaining access to a Zoom link. This is a feature that was originally enabled by default by Zoom to allow any participant to screen share content, but ever since then the company has stated that it has taken steps to address this issue. Nonetheless, this highlights the major issue with Zoom’s rise to fame - it has cut a lot of corners to become extremely easy to use for the quick adoption ultimately sacrificing security in the process.
But taking a deeper look, some studies have even shown that they are less secure than previously thought. In addition to using their own cryptographic techniques that aren't on par with industry standards, keys for encrypting and decrypting data were passed through servers in China. For anybody handling extremely sensitive information, this could be a major concern.
Left. Original Test Image sent through Zoom conferencing software Middle. Zoom’s encryption/decryption using ECB on test image Right. Industry SRTP standard of encryption/decryption
This could be troubling for many companies that are now scrambling to move to a fully remote workforce given recent events, having to choose between Zoom and other alternatives for video conferencing (Skype, Microsoft Teams, Google Hangouts and Cisco’s WebEx etc.), which may have seen slower adoption due to a higher price or less usability. This isn’t to say other video conferencing softwares are without their own flaws.
While Zoom did make a few mistakes, what they did was sacrifice security for usability, which is exactly why they've become as popular as they are today. For teams that had to quickly shift to remote work, a video conferencing software that works with minimal training, extra downloads or admin oversight was the easiest solution. While you can’t self address all of Zoom’s security flaws (or other video conferencing alternatives for that matter), there are a few steps you can take to protect yourself while using these options.
Don't share sensitive information over conference calls: While this is easier said than done for most, it goes without saying that organizations that share very sensitive information should not do so over Zoom - or any video platform for that matter. Especially for those in highly regulated industries such as government, healthcare, or even those worried about industrial espionage.
Adjust settings: In every Zoom account, there are a bunch of settings that by default, are enabled to allow anybody to use it. To make it secure, you should adjust settings so that every meeting is password protected and that only the host is capable of sharing screen content.
Protect accounts by using tools: To protect your Zoom accounts even further, consider using SSO tools such as Okta to make sure that only users with valid identities will have access to your Organization’s Zoom accounts. Additionally, you should employ 2FA tools like Duo to authenticate that it is in fact those users who are accessing their Zoom accounts.
While these are all steps you can take to make Zoom more secure, ultimately this goes to show that a lot of the responsibility of security still relies on the user. Unless the user takes the proper precautions to ensure that private information is safe, there’s a good chance that malicious attackers will be able to take advantage. As we reflected on this growing story, we realized this issue strikes at the heart of our mission to shift the responsibility of security off of the user and to the company security team. For more information on how to secure your remote workforce, reach out today.