ZOOM MEETING: HERE’S WHAT YOU NEED TO KNOW

The video conferencing app Zoom gained about 2 million new users in the first two months of 2020—and that was before the World Health Organization declared the coronavirus outbreak a pandemic. With so many people now relying on video conferencing for contact with their friends, family and colleagues, it’s no wonder Zoom has seen a significant increase in its company stock price. But the firm has also attracted some negative press recently for issues related to its privacy and security.

A number of issues with Zoom have attracted public attention, most notably call hijacking or “Zoom-bombing.” Calls that are not set to private or password-protected can be accessed by anyone who inputs the nine- to 11-digit meeting code, and researchers have shown how valid meeting codes could easily be identified (something Zoom now says it prevents).

Zoom claims its calls can be encrypted, but doesn’t use the kind of end-to-end encryption that many people have come to understand as standard for private communication services. Messages or calls sent with end-to-end encryption are effectively locked with the receiving user’s public key that anyone can access, but can only be unlocked by the user’s private key. This system is used by messaging apps such as WhatsApp to ensure only a message’s recipient can read it—not even the app’s provider has access.

Zoom instead uses the AES-256 ECB method of encryption, which shares the key used to encrypt calls with Zoom’s servers around the globe. This potentially gives them full access to the audio and video streams, although the company has stated no user content is available to its employees or servers once encrypted.

Researchers have also found that encryption keys even up on Zoom servers based in China (where the company has development sites) even when no Chinese participants are in the call. This opens the possibility that the Chinese government, famed for its control of internet communications in the country, could eavesdrop on calls. Zoom has now started offering paying customers the ability to opt out of having data routed through China or other regions.

here are things you can do when using Zoom or other video calling services that have potential security issues to maximize your privacy and safety.

  • Enforce encryption by default and makes sure it’s end-to-end if possible
  • Lock and password-protect meetings
  • Unauthenticated users should be held in a waiting room so the organizer can check their identity before admitting them to the call
  • Make sure a meeting host monitors the participants list and ensures no unknown participant joins
  • Be careful with meeting recordings and get consent from the participants
  • Be aware that audio-only participants calling via a regular phone dial-in option will “break” the encryption
  • Be careful with file and screen-sharing capabilities. They could accidentally disclose sensitive information or be used to spread malicious programs.