Zoom Security – What To Do?
Update: Lots of changes have been made to Zoom since this article first posted, I will be expanding the security recommendations section below.
I am getting a lot of questions from clients right now regarding the use of Zoom. It may be hard to filter the signal from the noise, so I put this together to help you. I don’t believe in FUD, and I’m concerned about security issues we can fix right now.
Common Zoom Questions
- Is it safe to use Zoom?
- Should we look into using a different product?
- Will hackers join my session?
- How/Can I protect myself?
With the whole planet shifting towards working from home due to the COVID-19 pandemic, everyone is using a variety of technologies to facilitate. One of the more popular providers is Zoom. It was wildly popular before the pandemic and now has exploded.
With the increased attention comes increased scrutiny. I won’t go into all the details of the Zoom issues, but they fall into two categories:
- Bugs/Privacy Issues/Software Functionality
- Misconfigurations
Bugs/Privacy Issues/Software Functionality
Some of the issues relating to the data that Zoom gathers from people, integrations with 3rd party software automating the retrieval of data people already submitted, or software functionality that some find a little creepy. There are even issues with social media sharing.
Zoom is no different than most other apps or startups in the data that it gathers or shares; however, the main takeaway here is that Zoom’s privacy policy should be clear on all the data it handles and how it shares it.
Misconfigurations
This is the area I want to focus on because, more often than not, this is where real security issues arise from: the misconfigurations of our tools and software. A phenomenon known as Zoombombing, where random people join meetings and share disturbing content, stems from 2 main issues:
- Join before the host is enabled (disabled by default)
- People using their personal meeting IDs
Many executives use their personal ID for all meetings out of convenience. Security folks are often complaining or asking users not to use this method and, instead, have a unique meeting ID for each meeting. Combined with allowing Join Before Host, we now have a recipe for disaster, such as Zoombombing.
Oftentimes, a Personal Meeting Id (PMI) is a person’s firstname+lastname. So if a person is named Jane Doe, their personal meeting link would be “https://zoom.us/my/janedoe.” Any program or machine can easily enumerate this:
There is even an underground tracking personal meeting IDs that have been found:
By default, “Join Before Host” is disabled, so you should see this:
Oftentimes, this feature is enabled to allow participants to join the event if the host is running late.
Zoom Security – Next Steps?
For most people out there, they are not having public Zoom meetings. Most participants in a meeting are going to be co-workers. The threat surface expands when there are larger meetings like All-Hands, Webinars, or Board Meetings.
Generating a meeting is so easy right now. Zoom has excellent integration with Google Calendar and Slack, so meeting IDs are generated automatically.
Some people are looking to change their videoconferencing platform for all of the above. From a security perspective, that would not be my recommendation, as everything needed to secure your Zoom setup is available. If privacy is a concern or you don’t want an app installed on your machine, then maybe Jitsi is what you’re looking for.
Here is what you should do:
- Tell your employees not to use their personal meeting IDs anymore for meetings.
- If they insist on doing so, require them to disable “Join Before Host” and Enable “Co-Host” to allow others to manage the meeting. Show them the integrations above to encourage them to move away from PMIs.
If this article was helpful to you, consider subscribing to my weekly newsletter, where I share my latest commentary as a vCISO for high growth startups.
Check out how we help startups accelerate and level up their security programs through vCISO (CISO As A Service) and DevSecOps As A Service.
