As the country finds new ways of communicating during the COVID-19 pandemic, many people have turned to online conferencing platforms like Zoom to stay in touch with family and friends, as well as colleagues at remote work locations, while sheltering in place.
Zoom claims 200 million daily users worldwide, but according to the FBI, there has been a rise in the number of so-called “Zoom bombing” attacks whereby hackers disrupt business conferences, online classrooms and therapy sessions with pornographic and/or hate images and threatening language.
Anyone who hacks into an online conference can be charged with state or federal crimes. Charges may include – to name just a few – disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. All of these charges are punishable by fines and/or imprisonment.
Whether you run a business, a healthcare facility, a classroom, or you just want to video chat with family, you need to be aware that your video conference may not be secure and information you share may be compromised. Due to Zoom’s security holes, hackers have an easy time getting into and disrupting meetings.
Security an Afterthought
Among the concerns is that Zoom uses an encryption scheme that it developed itself rather than implement a recognized open standard. Even more concerning is that Zoom sends traffic to China – even when all the people in a Zoom meeting are outside of China. Specifically, the keys for encrypting and decrypting meetings are transmitted to servers in Beijing. Further, all development of the Zoom application is done in China. All this makes Zoom usage risky for government and business use, especially when this arrangement could also open up Zoom to pressure from Chinese authorities.
Zoom has also lied about this critical element of its conferencing application, stating all along that it uses end-to-end encryption. In April, Zoom clarified its encryption policy and issued an apology for incorrectly “suggesting” that meetings were capable of end-to-end encryption.
Another security flaw is that Zoom does not require meeting hosts to use a unique file name before saving their own clips online. Since Zoom names every video recording in an identical way, a simple online search can reveal a long stream of videos that anyone can download and watch.
Videos viewed by The Washington Post, for example, included one-on-one therapy sessions; a training orientation for workers doing telehealth calls that included people’s names and phone numbers; small-business meetings that included private company financial statements; and elementary-school classes in which children’s faces, voices and personal details were exposed.
As if all this weren’t enough, Zoom is the target of a class-action lawsuit in California for allegedly giving users’ personal data to outside companies, including Facebook, without their consent. Zoom is also being probed by New York’s top prosecutor for how it handles customer data.
As people become more aware of Zoom’s shortcomings and misrepresentations, a growing number of organizations forbid employees from using Zoom due to its significant privacy and security issues. These organizations include Elon Musk’s SpaceX, Google, the NYC Department of Education, and the government of Taiwan. Other governments here and elsewhere are voicing their reservations about Zoom.
Not surprisingly, investors are bullish on Zoom because it has grown by leaps and bounds in the last few months and the stock price keeps going up. Even so, security concerns and company missteps tend to be explained away as “growing pains”.
As more people continue the transition to online lessons and meetings, it’s important to exercise due diligence and caution. The FBI recommends the following steps to mitigate online conferencing threats:
- Do not make the meetings or classroom public. Zoom now offers two options to make a meeting more private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a conference link on an unrestricted publicly available social media post. Provide the link directly to specific people.
- In Zoom, change screen sharing to “Host Only.”
- Ensure meeting participants are using the most updated version of the application. In January, Zoom updated their software to require passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Finally, ensure that your organization’s telework policy addresses requirements for physical and information security.
If you become a victim of a conference hijacking, or any cyber-crime, the FBI would like to know about it. A report can be filed with the FBI’s Internet Crime Complaint Center at https://www.ic3.gov/default.aspx.
Nathan Muller is the author of 29 technical books and over 3,000 articles that have appeared in 75 publications worldwide. He also writes articles, blogs and social media content for tech companies and their executives.