Update: Lots of changes have been made to Zoom since this article first posted, I will be expanding the security recommendations section below.
I am getting a lot of questions from clients right now regarding the use of Zoom. It may be hard to filter the signal from the noise, so I put this together to help you. I don’t believe in FUD and I’m concerned about security issues we can fix right now.
Common Zoom Questions
- Is it safe to use Zoom?
- Should we look into using a different product?
- Will hackers join my session?
- How/Can I protect myself?
With the whole planet shifting towards working from home due to the COVID-19 pandemic, everyone is using a variety of technologies to facilitate. One of the more popular providers is Zoom. It was wildly popular before the pandemic and now has exploded.
With increased attention, comes increased scrutiny. I won’t go into all the details of the Zoom issues, but they fall into two categories:
- Bugs / Privacy Issues / Software Functionality
Bugs / Privacy Issues / Software Functionality
Some of the issues coming about relate to the data that Zoom gathers from people, integrations with 3rd party software automating the retrieval of data people already submitted, or software functionality that some find a little creepy. There are even issues with social media sharing.
This is the area I want to focus on, because more often than not, this is where real security issues arise from, the misconfigurations of our tools and software. A phenomenon known as Zoombombing, where random people join meetings and share disturbing content, stems from 2 main issues:
- Join before host is enabled (disabled by default)
- People using their personal meeting ID’s
Many executives use their personal ID for all meetings out of convenience. Security folks are often complaining or asking users not to use this method, and instead have a unique meeting ID for each meeting. Combined with allowing Join Before Host we now have a recipe for disaster, such as Zoombombing.
Oftentimes a Personal Meeting Id (PMI) is a person’s firstname+lastname. So if a person is named Jane Doe, ther personal meeting link would be “https://zoom.us/my/janedoe”. This can be easily enumerated by any program or machine.
There is even an underground tracking personal meeting ID’s that have been found:
By default, “Join Before Host” is disabled, so you should see this:
Oftentimes this feature is enabled, to allow participants to join in the event the host is running late.
Zoom Security – Next Steps?
For most people out there, they are not having public zoom meetings. Most participants in a meeting are going to be co-workers. The threat surface expands when there are larger meetings like All-Hands, Webinars, or Board Meetings.
Some people are looking to change their videoconferencing platform for all of the above. From a security perspective, that would not be my recommendation as everything needed to secure your Zoom setup is available. If privacy is a concern or you don’t want an app installed on your machine, then maybe Jitsi is what you’re looking for.
Here is what you should do:
- Tell your employees not to use their personal meeting ID’s anymore for meetings.
- If they insist on doing so, require them to disable “Join Before Host” and Enable “Co-Host” to allow others to manage the meeting. Show them the integrations above to encourage them to move away from PMIs.