Security Risks with Zoom and Other Teleconferencing Tools
The use of video and audio conferencing has increased due to the COVID-19 pandemic, along with the risks that come from using these tools, particularly Zoom. Firms and individuals should take steps to protect themselves from these increased risks.
One concern is the practice of “Zoombombing,” when hackers or pranksters illicitly gain entry into Zoom meetings to disrupt with malicious content. The FBI has issued warnings related to teleconferences and online classes being hijacked. Additionally, information security websites have pointed to the existence of widely available hacking tools that expose Zoom meeting codes, and indicated the presence of multiple internet groups devoted to organizing Zoombombing raids. Beyond the issues of harassment, unwarranted access has heightened the threat of exposure and exfiltration of sensitive information.
Other software security issues have also been discovered, though some have been resolved. For example:
- Zoom’s privacy policy allowed for targeted advertising, but this is no longer the case.
- Facebook tracking software had previously been installed, though it has been removed.
- A problem with the Zoom company directory may inadvertently lead to the sharing of personal email addresses with others.
- A bug may allow attackers to take over cameras and microphones.
The issues with Zoom are causing a backlash against its usage. For example, the NYC Department of Education has banned its use for online learning. Despite security concerns, the tool remains popular, with figures indicating usage by more than 200 million daily meeting participants in March alone.
It is important to note that most teleconferencing systems do not use end-to-end encryption, in which information is encoded and only available to those with a security key. With most teleconferencing software, communications are encrypted between each user and the video conferencing provider’s servers, but not fully between each participant. While unlikely, video conferencing providers may be able to eavesdrop on content. As a result, data privacy and security issues remain with Zoom and other similar tools.
ACA Guidance
While Zoom and other teleconferencing tools present some security issues, their use is still needed for business functionality during the crisis. As such, measures are available and should be taken to enhance teleconferencing security. Recommended actions include:
- Ensure that latest version of conferencing software is in use and keep it up to date with software patches
- Use unique meeting numbers and PINs for calls needing to remain confidential
- Require the use of a waiting room and organizer approval for callers to enter the room
- Take roll call against the number attendees and close entry once that's been reached
- Insist on user permission to record any conference
- Review and understand vendor permissions regarding content storage and access – read the terms and conditions
- Use corporate conference tool accounts, not personal accounts
- When setting up an account, use strong passwords/PINs, and ideally multi-factor authentication
- Turn on the microphone only when it's needed; mute when it's not
- Secure any sensitive documents if conducting a video chat
- Use virtual backgrounds or blur backgrounds during video chats
- Ensure that participants understand what information can be discussed and recorded (avoid sensitive info if possible)
- Disable any file sharing tools within the software
Additional Resources
ACA is actively monitoring the developments related to COVID-19 and producing resources to help your firm address operational challenges created by this pandemic. Visit our COVID-19 Resources page to access all of the resources we've developed that may help your firm navigate through the restrictions in place to curb the pandemic.
How We Help
ACA offers the following solutions that can help firms enhance their cybersecurity in light of COVID-19 related cybercrime.
- Threat Intelligence, Phishing Testing and Monitoring
- Penetration Testing and Vulnerability Assessments
- Cyber incident response planning
If you have any questions, please contact your ACA Aponix consultant or email us at info@acaaponix.com.