During the coronavirus pandemic, it seems as if everyone is connecting with Zoom’s videoconferencing app -- including, on occasion, unwanted visitors.
Online trolls have been sneaking into web meetings and disrupting them with profanities and pornography for at least the better part of the last month. Cybersecurity researchers fear these disruptions could be a precursor to more harmful attacks allowing hackers to commandeer connected machines to access secure files or other corporate software.
“Much of our current reality is unchartered territory, and this growing dependence on Zoom at home is just another one,” said Mark Ostrowski, regional head of engineering for
In a Wednesday blog post, Zoom said that it takes security concerns “extremely seriously” and is working to address them. In addition, a Zoom representative said in an email that the company is upset about reports of harassment on Zoom and has sought to educate users about protecting meetings.
Zoom also apologized, in another blog, for “the confusion we have caused by incorrectly suggesting that Zoom meetings were capable of using end-to-end encryption.” While the company strives to use encryption in as many scenarios as possible, “we recognize that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it.”
But there’s good news. Users don’t have to follow
There are a few simple steps to host secure video meetings, according to security experts. For instance, ensure your meeting is password protected, and don’t share meeting IDs and passwords on social media, where criminal hackers may grab the credentials.
Experts also recommend that meeting or classroom organizers take attendance and kick out unwanted visitors. Here are a few more tips:
- Use the waiting-room feature to screen meeting participants before allowing them to interact in the meeting room. This can be accessed by clicking on the settings tab and then the In Meeting (Advanced) option.
- Use conference IDs instead of links when inviting others to join. Links can be malicious and used to hack unsuspecting users.
- Don’t repeat meeting IDs to keep unwanted participants out of meetings.
- Apply scrutiny to links and documents, which can contain malicious code.
- When not using computer microphones and webcams, use blockers or covers, both of which can be purchased online.
The most recent incident came on Monday when Patrick Wardle, principal security researcher at Jamf, published a blog abouttwo new flaws in Zoom. If already infected with malware, the Mac OS desktop version could enable attackers to gain high-level privileges and hijack the webcam and microphone, he said. Zoom said it subsequently released fixes for the issues.
Zoom appears to have been designed with security as an “afterthought,” Wardle said, adding that it was a common phenomenon among startups primarily focused on users and funding.
But Zoom’s meteoric popularity has drawn additional scrutiny.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home,” Zoom said in the blog post. The influx of new users has presented the company with “challenges we did not anticipate when the platform was conceived” and that company “committed to learning from them and doing better in the future.”
On March 30, the FBI issued a warning about so-called “zoom-bombing,” urging users not to make classes or meetings public or share links to teleconferences on social media.
That same day, a Zoom user sued the company claiming its services were illegally disclosing personal information.
The company collects information when users install or open the Zoom application and shares it, without proper notice, to third parties including
Zoom acknowledged that it shares data with Facebook in a blog post on March 27.
In addition, New York State Attorney General
Concerns over Zoom’s security practices aren’t new. Last year, a researcher named Jonathan Leitschuh discovered that the desktop version of Zoom for Macs quietly installed a web server -- one that remained on systems even if the app was removed -- that presented a new way for hackers to access webcams, he said.
Holding Zoom’s “feet to the fire” around security and privacy amid the app’s new popularity will create incentives for the company to adapt, Leitschuh said in an interview.
(Updates with details on encryption on fifth paragraph.)
--With assistance from
To contact the editor responsible for this story:
© 2020 Bloomberg L.P. All rights reserved. Used with permission.