Coronavirus: Experts Urge Caution Over Zoom Teleconference Security

The news last week that the government is using Zoom teleconferencing software for Cabinet meetings has spurred a debate around the security of the popular software.

Usage of Zoom has spiked during the coronavirus pandemic, and has seen the company’s shares rise dramatically over the past few weeks.

The government held its first-ever videoconferenced Cabinet meeting on Tuesday of last week, and on Thursday prime minister Boris Johnson tweeted a photo of himself using the application.

But security experts have urged users to be alert to the possibility that Zoom and similar applications could be hacked.

Military use

Last week Ministry of Defence staff were reportedly told the use of Zoom was being suspended while its security implications were investigated.

The MoD denied the reports, telling the BBC Zoom had never been used for high-security meetings, but was continuing in use for cross-government chats.

The Cabinet Office later clarified that Zoom is being used only for discussions that do not touch on high-security topics.

“In the current unprecedented circumstances the need for effective channels of communication is vital,” the Cabinet Office said in a statement.  “National Cyber Security Centre guidance shows there is no security reason for Zoom not to be used for conversations below a certain classification.”

Zoom said it takes security “extremely seriously”.

“Globally, 2,000 institutions ranging from the world’s largest financial services companies to leading telecommunications providers, government agencies, universities, healthcare and telemedicine practices have done exhaustive security reviews of our user, network and data centre layers confidently selecting Zoom for complete deployment,” the company said.

“We are in close communication with the UK Ministry of Defence and National Cyber Security Centre and are focused on providing the documentation they need.”

Caution

Computer security researchers have urged users should exercise caution with Zoom, as with any other teleconferencing application.

In Zoom’s case, the company  collects data on users of its free service, including name, physical address, email address, phone number, job title and employer.

There is also the risk of disruption to public Zoom chats set up with minimal restrictions, as users have increasingly discovered.

The phenomenon of “zoombombing” involves gate-crashing such calls, which don’t place restrictions on who can join.

Security experts advised users to switch Zoom’s screen-sharing to “host only” to avoid having zoombombers display disruptive imagery to the rest of the group.

They also said users should switch off Zoom’s file-sharing feature, which is turned on by default and could potentially be used by gate-crashers to spread malware.

Vulnerabilities

Zoom’s paid business and government tiers are more secure by default, but even then the software, like any other, can become vulnerable to any security issues that may be uncovered.

In July of last year researchers disclosed a zero-day flaw in the Mac Zoom client that could have allowed attackers to switch on a user’s webcam if they had Zoom installed.

The flaw was first reported to Zoom in March and the company took several months to resolve the issue.

Andrew Dwyer, a computer security researcher at the University of Bristol, characterised the company’s response as “lax”.

Other vulnerabilities include one disclosed by Check Point in January that could have allowed eavesdroppers to join Zoom calls that didn’t have passwords enabled if they happened to guess the 9, 10, or 11-digit meeting ID.

“Should we be divulging so much personal data to this company?” Dwyer said in a post on Twitter.

“The rush to online means we need to pay more attention and not less.”

So far, however, such concerns have done nothing to dampen the popularity of Zoom or of shares in software maker Zoom Video – to the point that last Thursday the US Securities and Exchange Commission was forced to suspend trading in the shares of Zoom Technologies, a small, unrelated company with the stock market ticker ZOOM, after concluding that buyers were purchasing its shares accidentally.