Zoom has been making headlines recently, both good and bad. Since we’ve been using Zoom for at least five years, I’ve had a lot of questions from our clients regarding what they’ve seen in the news recently. Before I go into the details of why, I will state that Spectrum trusts and will continue to use the Zoom platform.
Zoombombing
What is Zoombombing? Zoombombing is when unauthorized people access your meeting and share inappropriate content.
Does this affect other platforms? Yes. Any platform that has a meeting link to join can fall prey to this same attack.
How is it happening? One student thought it would be funny to share the meeting link information to someone who would disrupt his class and others followed suit. There are now dedicated groups that you can give your meeting ID to for purposes of bombing your meeting. In all instances in the news, this was the vector of attack.
Can it be prevented? Yes. We use a combination of the following methods:
- Enabling a waiting room that separates participants from one another until admitted to the meeting room. I liken this more to when you’re put in an exam room and you’re waiting for the doctor than being the waiting room itself. No one in the waiting room can see or hear each other or the host. The host can see the list of participants and admit them one by one or en masse. If someone maliciously joins the meeting, they cannot see or hear anything if not admitted by the host.
- Locking the meeting to prevent new participants from joining. Once the proceeding is underway, we lock the meeting so no one else can get in.
- Password protecting the meeting. This actually acts on another less likely attack vector: someone “guessing” the meeting ID of the meeting using an automated script. Unlikely as it may be, meetings are now password protected by default to prevent this.
- Disabling sharing by default. If you trust the people in your meeting and you’ve taken the other precautions, you shouldn’t have to do this. But we’ve done it anyway as an extra precaution. If you need to share exhibits, we can easily enable the feature on the fly.
Lack of end-to-end encryption
What is end-to-end encryption? End-to-end encryption (E2E) simply means that the communications cannot be intercepted by anyone except the sender or the recipient.
Does it affect other platforms? As I recently shared with a client who was concerned about sensitive privileged communications, most other communication platforms he’s using lacks E2E. His text messages, emails, and phone calls all lack E2E. So do the stacks of medical records laying around his office. Same with the traditional videoconferencing we did for the past 20 years with Polycom units (E2E was possible but rarely used). WebEx, which argues it is E2E encrypted, is giving only a partial truth. See Why doesn’t Zoom just enable E2E? below.
Does lack of E2E put me at risk? I would argue for most meetings, no. Zoom, like WebEx and GoToMeeting, is encrypted between the service provider and each client. But, since Zoom holds the encryption keys, technically it has the capability of decrypting (i.e. listening in on) your meeting. This is used to enable a whole array of useful features listed in the next section. Zoom has published that if, and that’s a big IF, a Zoom employee were to join your meeting in progress, they would be listed as a participant (not invisibly listening in). If you are dealing with national-security level of information and cannot afford that risk, only E2E will do. Zoom cannot access any uploaded meeting materials as of a previous security update.
Why doesn’t Zoom just enable E2E? I imagine this is coming. They hired the former Facebook Security Chief and froze all new feature development for the next 90 days so that they can focus on implementing security and privacy changes. What’s important to note, though, is functionality is sacrificed when you enable E2E. Look at WebEx, for instance. In order to enable E2E, you must disable: Join before Host, Polycom/Lifesize (traditional videoconferencing) clients, Linux clients, cloud recording, saving meeting notes, sharing files, remote screen sharing, AND telephone participants. I expect this will be the same list when Zoom offers E2E.
Chinese servers, hacked accounts, and other concerns
Is my information being stored on servers in China? No. Zoom does have servers in China used for Chinese Zoom meetings. It was discovered that during heavy usage recently in North America that some information was being routed through Chinese servers (including encryption keys). This was by design to provide seamless and fast meetings but has been changed so that North American traffic will never route through Chinese servers.
I read thousands of Zoom accounts have been hacked. True? Sort of. Hackers are taking email addresses and passwords from previous leaks, such as the huge LinkedIn breach in 2012, and trying them in Zoom. Zoom itself has not been breached. There are thousands of accounts for sale that were previously breached and that match current Zoom credentials.
Is Zoom using their own encryption scheme? Yes, which is frowned upon because it hasn’t been peer reviewed for weaknesses. I expect we’ll see this change in the coming months.
I read that my Zoom recordings can be found on the internet because of the naming scheme. Is that true? No. Not unless you download them and then upload them to a public server. Then, in that case, yes. Any Zoom recordings you have are private and not searchable when hosted on Zoom’s servers.
Is Zoom malware? No. This comment stemmed from a “creative” solution that made joining Zoom meetings very easy on iOS devices. Problem was that it was sidestepping baked-in security protocols on iOS and possibly putting the device at risk. This has been changed.
Is Zoom HIPAA compliant? According to five-page guide just published by Zoom in April of this year, yes.
Can someone send me viruses through Zoom? There was an exploit that could be used to run remote software that was fixed immediately after it was discovered. Since then, there have been no other exploits discovered that allow viruses to be sent.
Takeaways
Zoom is scaling at a blistering pace to keep up with a demand that it had no way to predict. It has made some mistakes and will likely make others, just like any company does. Their acknowledgement of issues and their prompt fixes give me even more confidence in their service. Until something better comes along, I will continue recommending Zoom for your deposition and mediation needs.
About the author
Sam Mattern is the Operations Manager of Spectrum Reporting LLC. He holds a Bachelors in Computer Engineering Technology and has 15 years of experience in videoconferencing, network security, and related technologies.