The video conferencing app Zoom has exploded in popularity with much of the world beginning to work from home. With the recent rise in popularity, however, came increased scrutiny and the attention of security researchers. In response to recent concerns about security and privacy, Zoom has outlined many of the steps it has taken to protect their users in a recent blog post.
A Zoom blog post offers tips for organizers to protect meetings from so-called “Zoombombers” disrupting meetings. When sharing meeting invitations, avoid posting your PMI (Personal Meeting ID) online; a random meeting ID should be generated for each event to avoid the possibility of meeting links from a prior event being used to join all future events. It is important to protect every online meeting with a password. Zoom also has a “Waiting Room” feature for the host to control who can enter the meeting. More ways to protect Zoom meetings can be found in the post.
Zoom acknowledged the security concerns around vulnerabilities and end-to-end encryption. Zoom has released a software update removing UNC (Universal Naming Convention) link rendering so they can’t be clicked. Issues with the MacOS installer and webcam vulnerability pointed out by researcher Patrick Wardle were also addressed.
Security reporter Brian Krebs described a tool called “zWarDial,” which is capable of discovering any currently active Zoom meeting that is not protected with a password. Using this tool, attackers can discover approximately 100 open meetings per hour. Zoom responded by saying it would enable passwords by default in all future scheduled meetings.