Who’s Zooming Who?
Back in the day (as in, two-and-a-half long years ago), people did things such as meeting with coworkers and attending conferences in person. But, with the advent of the COVID-19 global quarantine, people found new ways to be present at gatherings, from one-on-one meetings to large events. The most common way to conduct socially distanced meetings is through cloud-based video conferencing.
Thanks to the COVID lockdown and the user-friendly nature of the platform, Zoom usage for video conferencing has surged. Using Zoom is convenient, but is it safe? The growing usage of Zoom is revealing flaws in the platform. It turns out that the cloud-collaboration tool can be hacked, and that’s a threat to the security and privacy of your meetings.
Why should you care? Are these security and privacy issues serious? Just what are the security issues plaguing the app? For the sake of you and your coworkers, let’s go further into some of the most pressing safety issues with Zoom.
In this article, we’ll explore four little BIG? reasons why Zooming isn’t as safe as it seems. Let’s find out who’s Zooming who.
How do you know if you’ve been Zoombombed? Similar to photobombing (when someone intentionally or unintentionally appears in your camera’s field of view as a picture is taken), Zoombombing is when an uninvited user appears on your Zoom call. It’s easy to detect in smaller meetings, and when the Zoombomber is deliberately causing mayhem, but it could go unnoticed if the culprit is silently observing a large meeting or virtual event. If privacy and confidentiality are vital to your meeting, an unnoticed, uninvited lurker might be disastrous.
How can someone hack into a Zoom meeting? Every Zoom meeting is assigned a one-of-a-kind meeting ID number. Between nine and eleven digits, the number grants entry to a conference. While the meeting ID numbers are unique, for people well-versed in the platform, they are easy to predict. Hackers take advantage of this flaw in Zoom’s security.
Zoom offers a couple of counteractions to protect your meetings. First, you can enable password protection for your Zoom calls when creating the meeting, making it more difficult for someone to hack their way in. Second, Zoom added a feature that enables you to kick someone out of your call, so you can send a suspicious actor packing.
That’s a good start, but are you truly secure?
2. False Claims of End-to-End Encryption
Zoom hyped end-to-end encryption as an improved security feature in early 2020 and rolled out the security option in late 2020. In principle, encryption keys are generated by Zoom’s cloud and distributed to meeting participants as they join the meeting. This is supposed to create an environment in which only you and the other people in your conversation can read each other’s messages; outsiders won’t be able to decipher them.
Unfortunately, it’s difficult to believe that this late 2020 feature does what Zoom says it does. Zoom is known to have misled customers in the past by saying it provided end-to-end encryption when it did not.
In November 2020, the Federal Trade Commission (FTC) said, “[S]ince at least 2016, Zoom misled users by touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security.” In this situation, Zoom could easily have hacked customers’ conversations. “Zoom maintained the cryptographic keys that could allow Zoom to access the content of its customers’ meetings, and secured its Zoom Meetings, in part, with a lower level of encryption than promised,” the FTC noted.
3. The Dark Web is Littered with Hacked Zoom Accounts
Cybersecurity firm Sixgill discovered 352 compromised Zoom accounts that a single hacker posted on the dark web. The following details were exposed:
- Zoom meeting IDs
- Host names
- Email addresses
- Type of Zoom account
While most of the accounts were personal, the list also included a large US healthcare provider, a number of schools, and several small businesses. Fortunately, both the hacker who uploaded the accounts, and the users who followed the link, appear to have been more interested in trolling and mayhem than in making a profit from the stolen information.
However, that provides little comfort to the account owners, as the exposed credentials could easily be exploited for corporate espionage or identity theft.
4. Personal & Business Zoom Videos Posted on the Open Web
Zoom prioritizes the user-friendliness of the platform over security. This includes a default file naming protocol where Zoom names recorded meetings in an identical way.
When customers record meetings, they often download the recordings from Zoom’s cloud storage, and then save them on their own cloud so that the files are maintained in a way that suits their needs. If the users save meetings to an unprotected cloud service, the videos could be discovered by anyone.
This is where the default naming feature can cause real problems. If the file owner uploads a meeting to the cloud without password protecting it or without changing the file name, anyone familiar with Zoom’s file naming methodology can find, download, watch, and share the unprotected videos. Because of this security flaw, hackers have found and posted thousands of Zoom meetings to the open web.
Reports of leaked private meetings and confidential material that have been leaked online are concerning. The types of exposed content include:
- Private therapy sessions
- Company financial statements
- Virtual elementary school classes
While the user-friendliness of Zoom makes it a popular video conferencing platform, is it really worth all of the risks?
Is any Space Secure?
Unsure of how to protect yourself and your team? War Room ensures online meeting privacy. Developed by VirnetX, War Room provides secure video conferencing with a comprehensive security posture to prevent cyber attackers from accessing critical and sensitive information. To read more about War Room, register to download our white paper, then contact us today. We can make your choice an easy one.
VirnetX Holding Corporation is an Internet security software and technology company with patented technology for secure communications, including 4G LTE and 5G security. VirnetX’s software and technology solutions, including its secure domain name registry and Gabriel Connection Technology™, are designed to facilitate secure communications and to create a secure environment for real-time communication applications such as instant messaging, VoIP, smartphones, e-readers, and video conferencing. The Company’s patent portfolio includes over 200 U.S. and foreign-granted patents, validations, and pending applications. For more information, please visit www.virnetx.com