The video chat system Zoom wasn’t prepared for the popularity it’s facing here in the spring of 2020. Much like a startup group attempting to create a new product with a crowdfunding campaign, Zoom is finding that their own popularity might be more than they can handle. Issues begin with the simple nature of the group chat, and the ease with which one can join.
Each Zoom call has a “randomly” generated ID number between 9 and 11 digits long. This code can be guessed – one could potentially start entering random letters and numbers until a room is found. Now with massive numbers of groups being formed and calls being made at any given time, one’s chances of making a correct guess have increased by a giant amount.
Multiple examples of troll attacks have been reported over the past few weeks. Business Insider has an example of trolls breaking in to Alcoholics Anonymous meetings. KXAN published a report on the “Zoombombing” of a University of Texas video conference. The FBI put out a warning to users about Zoom video conferencing specifically.
Selling data to Facebook
Zoom was sued in March for allegedly selling user info to Facebook without authorization. A Motherboard report showed how the Zoom iOS app sent data to Facebook using Facebook’s front-end data sharing system. That’s the sort that sends data to Facebook even if you do not have a Facebook account.
No E2E encryption
A perfect example of Zoom’s inability to deal with monstrous growth was the company’s expectation that it’s claim of “end-to-end encryption” for meetings wouldn’t be investigated. Zoom does not use, nor does it include the ability to use, end-to-end encryption in Zoom video meetings. The website still claimed to use end-to-end encryption on its “security” page as of this morning – 10:26 AM Central Time, April 1, 2020.
This bit was revealed – and Zoom confirmed – with The Intercept earlier this week. Zoom’s security white paper and UI within mobile apps claimed to include end-to-end encryption when, in fact, the lot used “transport encryption.” These are different sorts of technology.
Zoom can spy on you
Zoom has the ability to view video meetings held on its platform. Zoom hadn’t published a transparency report on this or any other matter as of March of 2020, prompting an open letter (PDF) from Access Now. This letter asks/demands that Zoom publish a report on how and when data used by Zoom is being shared with 3rd-party groups.
Zoom security issues aren’t new
Back in July of 2019, it was discovered that the Zoom app for Macs left computers vulnerable to camera hijacking and spying. Apple went so far as to remove the app from the app store because security concerns were so daunting.
How to be slightly more secure
When you host a meeting, require a password. Do not share links to your teleconference or classroom for Zoom on any insecure platform. Send the link to your room only 1-to-1, from you to individual people.
Make sure all users are working with the latest version of Zoom software. If they have a version that’s older than January of 2020, it’s too old. It’s an insecure version of the software, and it’s vulnerable to outside attack. The key here is making CERTAIN you’re not sharing details for your Zoom room anywhere that a random, outside party could see it.