Zoom’s Privacy Issues Explained

In the wake of the COVID-19 pandemic, Zoom Video Communications experienced a significant explosion in its userbase with the platform’s daily average users skyrocketing from 10 million daily users to over 200 million. 

This significant increase in attention has lead to Zoom entering the spotlight following rising privacy and security concerns discovered by security industry leaders and privacy-conscious users. As organizations continue to accommodate remote working and determine the best ways to manage a remote workforce, news about security issues regarding the applications needed to support them will be a significant concern. 

In this bite-sized article we will cover:

• What is Zoom?
• Zoom’s Privacy and Security Issues
• How Has Zoom Responded to Privacy and Security Concerns?
• Alternatives To Zoom Video Conferencing

What is Zoom?

Zoom Video Communications is an American cloud-based video conferencing company. It was founded by Eric Yuan in 2011 and is based in San Jose, California. Zoom offers free and paid tiers of its platform and attendees can join a Zoom meeting without downloading an application or making a dedicated account, making it a popular choice for convenient video conference meetings for both enterprise and personal use.

Zoom’s Privacy and Security Issues

Controversies surrounding Zoom’s privacy and security issues have caused many organizations to outright ban the use of the platform. As the situation evolves and Zoom continues to work to address the discovered issues these companies may consider allowing the platform.

Organizations That Have Banned Zoom Video Conferencing:

• New York City Department of Education
• SpaceX
• NASA
• Taiwan’s Government Agencies
• The Australian Defence Force

Zoom Bombing

The phenomenon known as “Zoom Bombing” involves unwelcome users gaining access to meeting rooms and sharing grotesque content with unsuspecting users. This practice has been especially troubling for new users that have begun using Zoom to keep in touch with family members partaking in mandated social distancing throughout the COVID-19 pandemic.

How Zoom Bombing Happens: 

1. Brute Force: Zoom relies on both randomly generated video meeting IDs that consist of a series of numbers. Unfortunately, malicious hackers have figured out how to use brute force methods to guess meeting IDs of random users as a method of gaining access to rooms that are not password protected. 
2. Social Media: Meetings IDs shared publicly on social media are susceptible to being discovered by strangers. Meeting IDs intended for private use can also be maliciously shared on public forums and social media websites. 

Once inside a Zoom meeting room, the malicious hackers shout profanities and share grotesque content with meeting attendees by taking advantage of Zoom’s default settings that allow new users to share their screens. This is especially troubling for Zoom’s pre-defined and reusable Personal Meeting IDs (PMI) as users of the Free tier cannot change their PMI by default, leaving future meetings susceptible to abuse when bad actors illicitly share their PMI.

Is Zoom Safe To Use?

With some adjustments, Zoom is safe to use for most people as the latest influx of controversy (such as Zoom Bombing) has stemmed primarily from abuses made possible by the default privacy and security settings of the platform. 

For enterprise users, security considerations for using Zoom are entirely different. Concerns surrounding claims that Zoom is not end-to-end encrypted as advertised and a formerly unpatched UNC vulnerability that had allowed hackers to steal Windows credentials have lead security-conscious enterprises to question if the platform meets their cybersecurity needs.

How To Use Zoom Safely

• Do not share sensitive information over Zoom
• Do not use your Personal Meeting ID (PMI) for public events
• When using cloud storage to share Zoom meeting recordings, beware that the default naming conventions for Zoom video recordings make it easy for strangers to find files that have been made accessible to anyone with the URL.
• To prevent Zoom Bombing, require the use of a password to enter your meeting
• Consider using the Waiting Room feature to control when new visitors are allowed to join your meeting
• Modify the default settings so that participants cannot share their screen
• Familiarize yourself with the key features of the platform so that you can comfortably manage participants that are disrupting meetings
• Keep your Zoom apps and software up-to-date with the latest security patches

How Has Zoom Responded to Privacy and Security Concerns?

To address the incoming wave of privacy and security concerns from privacy-conscious users and enterprise customers alike, Zoom has released a statement to its customers about the steps they will be taking to improve the security of their platform.

Highlights: What Zoom is Doing To Fix Security Issues

• For the next 90 days, Zoom has diverted all resources that were being used for feature improvement to instead make changes that address privacy and security concerns.
• White box penetration tests to identify and address issues.
• Enhancing their current “bug bounty” program to increase the potential for the discovery of security flaws that can be fixed.
• Passwords are now enforced if a user tries to enter a meeting using only the meeting ID rather than the meeting invite link.
• The Waiting Room feature is now enabled by default – meeting hosts will have to manually bring users from the virtual waiting room to the main meeting room.

As the situation continues to evolve there are likely to be several new features and adjustments to Zoom’s default settings. If you would like to stay up to date with the latest Zoom security and privacy updates, the CEO and Founder of Zoom (Eric Yuan) has started hosting weekly webinars on Wednesdays at 10am PT from their website. 

Alternatives To Zoom Video Conferencing

If security and privacy concerns surrounding Zoom have you searching for alternatives, the below list of Zoom competitors are suitable options video conferencing.

Cisco Webex (Free + Paid)

Designed with enterprise users in mind, Cisco Webex provides features for teleconferencing, interactive webinars, cloud calling, and team collaboration. Their offerings have recently been updated to enhance the features of their free plan to address the need for video conferencing options following social isolation orders related to COVID-19.

Microsoft Teams/Skype (Free + Paid)

Microsoft offers two video conferencing products – Microsoft Teams and Skype. Skype is best for personal video calls with family and friends, and Microsoft Teams is recommended for schools or enterprises looking for added collaboration features for remote learning and the management of project teams.

Google Hangouts (Free + Paid)

Free users of Google Hangouts can have group calls of up to 10 people. With multi-platform support for Android, iOS, and the web, the free version is suitable for small virtual social gatherings, though participants will need a Gmail or Googlemail email address to participate. The paid tier of Google Hangouts (Google Hangouts Meet) is included as part of existing GSuite subscriptions. To help businesses and schools during COVID-19, Google is offering all tiers of GSuite customers access to the video conferencing features that were previously only available for enterprise customers – Up to 250 participants per call, live streaming for up to 100,000 viewers, and the ability to record meetings and save them to Google Drive