In the few months since December 2019, use of Zoom for online meetings and conference calls multiplied some 20-fold, something the creators could never have foreseen. And with that popularity, inevitably, has come the attention of bad actors. The new word “zoombombing” has been catapulted into media headlines, referring to gate-crashing of meetings with racist, obscene or extreme violent material being shared.
Whilst it’s never possible to be completely safe (nor even with physical meetings), simple measures can greatly reduce the risk to manageable and perhaps negligible proportions.
If you can identify all the authorised participants of your meetings such as a group of friends or a committee you can lock it down quite securely, but what if you’re a church or other organisation wishing to make your meeting as open as possible? Even then there are controls you can apply to largely eliminate the risk.
The Threat
First of all, you need to understand the dangers you might face. They are:
-
Most obviously, zoombombing, as already mentioned. This can be extremely distressing for the host and all those who witness it. If you’re trying to reunite your church or voluntary organisation online during the pandemic there are likely to be those whose trust you will struggle to regain.
So how would malicious actors get to know about your meeting? Clearly, if you publish details publicly, experience shows that it’s naive to imagine that you’re a small fish in a big pond and no one would notice or bother with you.
Even if you only advertise the meeting to a select group, for example by email invitations, automated tools are already available which search at great speed for open meetings. There are also unfortunately social media groups which exist to share accidentally or deliberately disclosed meeting details for malign purposes.
A member of your group may inadvertently or ill-advisedly share meeting details beyond the group. There have been cases of online classes being disrupted by one or two disaffected students deliberately sharing meeting details in order to get the class disrupted.
-
Privacy of meetings is not strongly guaranteed. For most people this is of little importance but if you were an activist living under a repressive regime or an émigré from such a regime then it could be dangerous to rely on Zoom. And I guess there were a few GCHQ staff who came out in cold sweats when it emerged that Boris was using Zoom for cabinet briefings!
Zoom has announced that you will shortly be able to restrict the geographic regions through which your data might be routed, but this would be small comfort to GCHQ.
-
There may be security vulnerabilities in Zoom which could leak your personal data or passwords or compromise the security of your computer or the integrity of the Zoom controls you set. Zoom is a relatively young product which in recent months has been forced to try to reach a level of maturity most products take years to achieve.
In fact, there have been numerous vulnerabilities discovered in Zoom, some of them horrible, and these have caused some sections of the media to declare it fatally flawed and to be avoided at all costs.
The truth is that all software has vulnerabilities, but the important thing is whether the developers promptly and proactively address them and issue fixes. The indications are that after a shaky start, Zoom have has more recently been doing a commendable job. Indeed, they have announced a 90 day change freeze in order to redeploy all their engineering staff on addressing security and privacy issues.
In another very smart move, Zoom has just hired Alex Stamos as an outside consultant. Well known and respected in the industry, Stamos has previously headed up security at Yahoo and Facebook and is an adjunct professor at Stanford University. If anyone knows his onions in this business, he does!
Additionally, Zoom is actively engaging with Chief Information Security Officers of major companies, including HSBC, Netflix and Uber in an ongoing security and privacy dialogue.
The Zoom Privacy Policy is explicit in stating that no user data is used for advertising or marketing, or sold to third parties. This is more than can be said for Facebook or Google!
Staying safe
Some of the threats might seem scary but you don’t need to be put off, unless you’re hosting cabinet meetings, of course. The risks can quite easily be reduced greatly if not eliminated. It will take just a little effort.
The first prerequisite for keeping safe online is to run a supported operating system (Windows 7 is no longer supported) and to install all security updates promptly. You don’t need Zoom to help get yourself get hacked if you’re running unpatched software.
When you launch Zoom it will sometimes offer you a security update. Always take it. Launch it in a few minutes before your meeting so that you can do so have time to update it if necessary. This applies equally to participants and to the host.
Logging into your account at zoom.us, under Settings you will find a large number of options. You need to review these regularly as Zoom is continually refining their security. Defaults may change, affecting your security strategy, or new options may appear allowing you to improve it. Don’t be daunted by the number of options – the important ones are fairly obvious. Some you might have to experiment with to fully understand, but the ones you don’t understand are probably irrelevant and can be ignored, along with a fair number you can easily dismiss as irrelevant.
When you start a meeting you will also find a Security tab in the meeting controls. The Manage Participants tab also gives you controls you need to be aware of.
The settings you choose will depend on how open you want your meetings to be. If you can list all the participants then you can lock it down quite tightly, but for a church service or other public meeting you may want it to be as open as possible. In so doing you may attract new members who will join you in person after the lock-down.
In summary, you can set the following policy (or something similar) to keep your meetings safe:
-
Set a meeting password and share this only by email, never via social media. Change the password maybe weekly.
-
Promote a trusted participant to co-host (Manage Participants in in-meeting controls). He or she can then take responsibility for user management while the host concentrates on managing the meeting.
-
Set Screen sharing to Host Only unless you genuinely need it and you have strong control over who joins your meeting.
-
Take control of mute. Set users to be muted on entry and don’t allow users to un-mute themselves.
-
Consider controlling chat. You may wish to allow participants to chat with the host only so that an intruder can’t broadcast messages. Disable file sharing in chat unless strictly needed as this could be abused by an intruder.
You can set a more relaxed policy if you tightly control participants using any one or a combination of controls:
-
You can enable the waiting room. The host or co-host then has to let participants in. This only works with small meetings where the host (or co-host) can recognise all the invited participants. It may be harder if any don’t have a webcam. Once all attendees have arrived you can lock the meeting to prevent anyone else entering.
-
Set a new password for every meeting and ensure the password or the direct join url (which incorporates the password, encrypted) is distributed by secure means only to invited participants. Impress upon all participants that it’s not to be shared.
-
You can require participants to be authenticated to Zoom. Since anyone can create a free Zoom account, for personal users and voluntary groups this in itself only means participants are more likely to appear with a recognisable name rather than something like “John’s iPad”.
Some people may not wish to register with Zoom, or may be put off when it asks for their date of birth. There doesn’t appear (currently) to be a way to restrict participation to specified Zoom users. But with a Business or Enterprise licence you can link authentication to your company systems, which should be effective in keeping out intruders.
In conclusion
We live in strange times with many of us on a steep learning curve as we adapt to new ways of working. Zoom has taken a lot of flak from some quarters but used sensibly and intelligently it can be a valuable tool. If you’re still convinced it’s the work of the devil, you could try Jitsi, which at least has the benefit of being open source. But even two tin cans and a piece of string is only secure if you use them sensibly.
Good guide and detailed instructions, Well done Philip!
During these times of working from home when video meetings become so used, I believe that end users are the weakest chain in the link, if we talk about security.
As you have greatly explained in this article referring to zoom, with regard of working from home there are also other applications that are risky, despite most believe if the communication is secure using for example a VPN that would be enough, but in fact it is not, as explained below:
https://gabrieldumitrescu.com/2020/03/24/vpns-and-work-from-home-security-under-scrutiny-in-times-of-covid-19/
As we always say, the biggest vulnerability is between the keyboard and the back of the chair. And as you rightly observe, failure to understand just what a particular control (such as a VPN, or antivirus) does or doesn't do for you is often a problem, leading to a false sense of security. Which is why I dedicated a substantial part of the article to explaining what might go wrong. And yes, BYOD has been a major headache from the day it was first conceived.