The video conferencing app Zoom has exploded in popularity with much of the world beginning to work from home. With the recent rise in popularity, however, came increased scrutiny and the attention of security researchers. In response to recent concerns about security and privacy, Zoom has outlined many of the steps it has taken to protect their users in a recent blog post.
A Zoom blog post offers tips for organizers to protect meetings from so-called “Zoombombers” disrupting meetings. When sharing meeting invitations, avoid posting your PMI (Personal Meeting ID) online; a random meeting ID should be generated for each event to avoid the possibility of meeting links from a prior event being used to join all future events. It is important to protect every online meeting with a password. Zoom also has a “Waiting Room” feature for the host to control who can enter the meeting. More ways to protect Zoom meetings can be found in the post.
Zoom acknowledged the security concerns around vulnerabilities and end-to-end encryption. Zoom has released a software update removing UNC (Universal Naming Convention) link rendering so they can’t be clicked. Issues with the MacOS installer and webcam vulnerability pointed out by researcher Patrick Wardle were also addressed.
Security reporter Brian Krebs described a tool called “zWarDial,” which is capable of discovering any currently active Zoom meeting that is not protected with a password. Using this tool, attackers can discover approximately 100 open meetings per hour. Zoom responded by saying it would enable passwords by default in all future scheduled meetings.
: Binary Defense analysts expect that people with malicious intent will continue to find ways to take advantage of any opportunity to disrupt online meetings using any platform, especially if participants are able to share video or images with all attendees. Zoom seems to be taking security issues seriously, by quickly responding to concerns and patching vulnerabilities. The security of online meetings using Zoom, or any other software, still relies on meeting organizers to understand and properly configure settings for each meeting. By following the steps outlined in their blog, users of Zoom’s conferencing app can protect themselves and their attendees. Protecting every Zoom meeting with a password is important because tools such as “zWarDial” allow attackers to randomly guess meeting IDs and join any meeting that does not require a password to join. Binary Defense also recommends applying any future updates released that may fix vulnerabilities or other concerns brought up due to upcoming security reviews by a third-party and an “enhanced” bug bounty program.