Zoom has had a rough few weeks. Ever since exploding into popularity, Zoom found itself bombarded by reports of privacy and security issues. These further prompted many to quit the platform, and cyber security experts to issue advisories. Thankfully, Zoom itself appeared to take matters seriously, roping in key cyber security faces such as ex-Facebook security head Alex Stamos, and more recently Katie Moussouris of the Pentagon bug bounty fame.
However, while the security features are being built into the system in the near future, there are still quite a few steps that you, as a user, need to take if you want to keep your privacy and data safe from being stolen. In many cases, these steps also make the most of the new tools that Zoom itself has announced for users to adopt by themselves. While the onus was largely on Zoom to improve its app, it is also a key time for users to become well versed with basic security features that should be followed everywhere.
With that in mind, here's looking at a few key steps that you need to take, if despite the privacy and safety concerns, you still happen to be using Zoom for your official video conferencing requirements.
Logging in and passwords
The first key step is to ensure that no third party plugin is used to log in to Zoom. By using Facebook or Google, you essentially link your private accounts to Zoom, which increases the risk of your private information being stolen if Zoom is breached and its linked APIs are traced by attackers. Always ensure that you use a unique user name and password.
Once logged in, ensure that you use a password-protected meeting invite, if you are a host. This minimises the risk of 'zoombombing', an act where Zoom meetings were bombarded by malicious users with racial slurs or pornographic motifs. If you are joining a meeting only, try to not log in to the service at all, since joining only requires you to key in the meeting ID and password. If you are an attendee, insist on your host to use a password-protected link, and also use an automatically generated meeting ID for each invite.
Steps for teachers
Zoom states that teachers should refrain from posting images of their virtual classrooms to protect digital identification. Furthermore, teachers are also insisted to use the 'lock meeting' option once all classroom attendees have joined the session. This is somewhat similar to the physical locking of a classroom door, once a class has begun, to ensure that no unauthorised access can happen.
Teachers may also mandatorily require their students to register their email addresses, so that any unidentified email address of nefarious participants can be instantly spotted and removed. They are also requested to use randomly generated meeting IDs instead of their own, fixed meeting ID. This can help the teachers, and in turn all the students, from being tracked down online and traced to active meeting rooms. Schools can also have their students sign up for official Zoom accounts, and only these accounts can be authenticated for using the service in a particular meeting room.
To enforce further restrictions, teachers can disallow students to join an online classroom before they themselves do. Other restrictions include disabling participant annotation, or disabling audio and video feeds of participants that may be disruptive.
Are these steps foolproof?
Well, not quite. For one, Zoom is yet to improve its encryption standard. Zoom still uses AES-256 ECB ecryption standard, which only requires an easily decipherable AES-128 security key to decrypt a packet (or a bulk of information) that has been intercepted in between servers. It is this that is key to hackers finding sensitive user information, which they were reportedly selling on the dark web. In fact, a recent report by Motherboard revealed even more zero-day exploits on Zoom's Windows and Mac apps, which were reportedly being circulated on the dark web for $500,000.
The encryption aspect, coupled with the fact that Zoom used Chinese data centers to pass data through, led to users suspecting that Chinese cyber espionage agents may be tapping outside data without any accountability. To make amends for this, Zoom has stated that it will now let customers select the data center where their info will be stored.
Zoom is also adding a 'report user' feature to ban any 'zoombombers', mandatorily add complex passwords to cloud storage accounts, and make the data route more transparent to all its users. On top of this, Zoom's Stamos also recently mentioned that in the next few weeks, Zoom will be migrating to a safer 256-AES GCM encryption standard, and in the long term, are working on an end to end encryption project with top cryptographers. This does not detail if Zoom will be taking the decentralised approach to completely do away with any suspicion of surveillance from its users.While matters at Zoom can significantly improve, they are still a start. In the meantime, if you must use Zoom to make video calls, the above mentioned steps are imperative to be followed.