Zoom Security FAQ

 

 


Meeting Security

What is “Zoom-bombing”?

Zoom-bombing” is when a malicious meeting participant interrupts meetings by sharing inappropriate messages, audio, video, or other content with the purpose of disrupting a meeting. This could be initiated by someone who knows or is affiliated with someone in the meeting, or it could come from an anonymous individual or group across the Internet.

How can I prevent “Zoom-bombing”?

You can prevent Zoom-bombing by practicing good access control using tools like meeting passwords and waiting rooms, employing co-hosts who are familiar with managing meeting participants, adjusting meeting settings to prevent unwanted guests from joining, and using care and forethought when sharing Zoom links or otherwise advertising your meeting.

LITS has changed the following default settings for Zoom meetings to help prevent zoom-bombing (you can override these in your own meeting settings if needed):

  • Meeting passwords are required.

  • Screen sharing is host-only.

  • Removed participants cannot rejoin meetings.

  • File transfers during meetings are disabled.

Some additional settings you may want to consider changing:

  • Only authenticated users may join - Turn this option on to allow only users with Zoom.us accounts to join your meeting. Note: anyone can create a free Zoom.us account.

  • Join before host - Turn this option off to prevent participants from joining your meeting before you have joined.

  • Mute participants on entry - Turn this on to cause meeting participants to be muted when they first join the meeting.

  • Participants video - Turn this off to cause meeting participants to not have their camera enabled when they first join the meeting.

How can I control who can join my meeting?

You can manage meeting participants to grant or deny access to a meeting after a participant has already joined, but there are also several ways to control access before the meeting starts. You should always secure your meeting with a password, and if it is critical that only specific participants join, only give out the Meeting ID number and not a meeting link. One-click meeting join links have the password in the link and your meeting can be joined by anyone that has it. It could also be shared outside of your control or knowledge. Additionally, if possible, wait until the last moment to give out your meeting password.

Waiting rooms can also be used to prevent unauthorized participants from joining your meeting. You will have the ability to screen participants by name and allow them into the meeting one by one. If you later decide to remove someone from a meeting, they will not be able to rejoin without being re-invited. You can also follow meeting security guidelines to keep your meetings available only to intended participants. 

 


Software and Network Security

Is Zoom secure?

As with many things, security is not an all or nothing endeavour. Security is measured by risk and impact of an adverse event. When we talk about the security of software like Zoom, adverse events might be an anonymous meeting participant “zoom-bombing” a meeting by sharing unwanted video, sensitive information being leaked from a private meeting, or malware being installed due to a software vulnerability. The risk of these events can be lowered by following information security best practices, understanding how to use the software and manage meetings, and by the developer taking actions to patch software issues.

In general, for class instruction, informal meetings with friends or family, discussion with co-workers, committees, etc. Zoom is fine to use. If you feel that meeting security is critical (for example, sharing proprietary or otherwise privileged information covered under an NDA, discussing medical records, or working with other security-conscious organizations), you may wish to use an alternative method of communication. Signal and WhatsApp are a couple examples, but note that choices for large-scale video conferencing are minimal.

LITS will continue to monitor and utilize security resources to ensure that we are providing the best software and services available to our campus community.

I heard some security vulnerabilities were found in the Zoom software; what does that mean?

In computer security, vulnerabilities are weaknesses in software, services, or infrastructure that can be exploited to gain unauthorized access to a system. These vulnerabilities are a normal and expected part of any complex computer system, and developers have teams of dedicated professionals who work to identify and patch these issues before there are negative consequences.

It’s important to understand that not all vulnerabilities may lead to negative consequences, and a vital part of computer security is managing the risk that a specific vulnerability may create. This includes specific conditions required to exploit an issue, such as a particular version of an app or a specific type of hardware. The scope of a particular vulnerability also defines the extent to which it may affect a system or user.

With all of the attention and additional scrutiny Zoom has gotten recently for its increasingly important role to many organizations, it’s unsurprising that a number of vulnerabilities have been found and shared widely. In general, this is a positive thing as it puts pressure on software developers to resolve issues more quickly. Zoom has patched most of the recent vulnerabilities found within a matter of days, and we can expect to see a similar response if future vulnerabilities are found.

What specific vulnerabilities were found and what has been done to mitigate them?

Several issues were recently found and reported on, including:

  • Zoom data being shared with Facebook

  • Zoom conference calls not being encrypted end-to-end

  • Zoom exposing Windows passwords

  • Zoom installer could be used to execute malware on macOS

  • Zoom could expose webcam and mic to malware on macOS

While these bullet points may seem alarming at first glance, the actual details and requirements of each of these vulnerabilities show that very specific circumstances are needed to exploit these potential issues. Zoom has either patched or mitigated the above vulnerabilities within just a few days of their reporting, which is unprecedented for most software developers.

All users of the software will receive a message asking to update Zoom the next time it is opened, which will patch the aforementioned vulnerabilities, and LITS has automatically updated all faculty and staff members’ Macs with the latest version of the software.

Please see this summary of the vulnerabilities found for a technical explanation of each, including what specific hardware and software was vulnerable and how Zoom has responded to or resolved each issue.

How are faculty and staff protected against vulnerabilities?

Faculty and staff workstations are protected from malware and network attacks through the use of firewall and antivirus software. All Windows workstations are protected with Windows Defender, and Macs are protected with XProtect and Symantec Endpoint Protection. These tools help prevent and stop malicious software from causing unwanted changes to your computer, and can prevent bad web services from communicating with your workstation.

Additionally, all college Macs are remotely managed and automatically apply the latest security patches to both macOS and installed software (such as Zoom), and are monitored for suspicious behavior that may indicate a compromised system. PCs will be similarly managed in the near future.

We also make resources (such as this FAQ and our guide to securing Zoom meetings) available and visible through regular updates via email, our Knowledge Base, and the LITS distance learning resources website. Google Hangouts Meet is another resource that all faculty and staff may use in addition to Zoom if preferred.

How are students protected against vulnerabilities?

Students who have installed Zoom on their personal devices will automatically be prompted to update the software as updates are made available. This ensures the latest vulnerabilities are patched and that the most secure version of the Zoom app is always available. All students also have access to Symantec Endpoint Protection for free on their personal computers. Students may also use Google Hangouts Meet as an alternative to Zoom.

Should I continue to use Zoom to host meetings?

LITS currently recommends either Zoom or Google Hangouts Meet as safe options for the video conferencing needs of faculty, staff, and students. There are also other alternatives which may offer some of the same features but are not currently supported by LITS.

 


Privacy

Could someone eavesdrop on my Zoom meeting?

There are three ways that someone could gain access to data (including video and/or audio) from a Zoom meeting, and simple preventative measures you can take to prevent each one.

Meeting access control - The easiest and most common way for someone to view or hear your meeting is by joining it without your consent. If a participant is in your meeting, they will have access to the same content that other participants have. With the appropriate meeting settings in place, and knowledge of how to manage participants, you can avoid unknown parties from joining your meeting.

Local eavesdropping through screen sharing or remote desktop - If someone has local access to your computer, meaning they can either physically or remotely execute commands on it, it would be possible for them to be able to see and hear what you do while connected to a call. LITS does does not have remote access to your workstation without your authorization. Locking your computer with a password while unattended and keeping your application and security software up-to-date will mitigate this risk.

Network data capture - If an attacker with the appropriate knowledge and access to your computer network were targeting your meeting, and if you were hosting a meeting on an outdated version of Zoom, there are potential ways to discern data from a meeting. This is the case for all but the most hardened communication software, and is a complicated factor many apps and services are vulnerable to. The risk, however, is very low for most users. Keeping security and application software up-to-date and securing your home network will help prevent this type of attack.

Could Zoom allow someone to use my webcam or mic without my knowledge?

There was a recent vulnerability in which it could theoretically be possible for Zoom to allow third party code (such as malware) to enable the webcam or mic of computers running macOS. This issue was patched immediately by Zoom, and the software has automatically updated for all affected users. The vulnerability required a concerted effort between an attacker, a specific version of the Zoom software, and local access to a victim’s computer, and no reports of this exploit being taken advantage of have been published. There are currently no known vulnerabilities that could allow someone to remotely access a computer’s webcam or mic through Zoom.

How private are Zoom meetings?

Zoom meetings are as private as most other online communications platforms. Unless built specifically for situations that require high levels of confidentiality, many communications apps make certain assumptions about a user’s security, including their computer equipment and network connection. The vast majority of meeting security comes down to how end-users make use of the conferencing software.

Think about meeting with someone in person. How could you ensure your privacy? You could meet in an empty room with closed doors, and make sure no one else is in the room. You could have sound-proof walls, and do a sweep for surveillance devices such as hidden microphones. You could ask anyone who joins for their ID. You could even offer a strict list of procedural requirements that anyone you meet with must follow.

Zoom (or other video conferencing apps) privacy works in a similar way; you can manage meeting participants to ensure you are alone in a meeting. You can close and lock the doors with a password, and check the name of each participant who requests entry. You can rely on antivirus and network security software to ‘sweep’ your computer to prevent malware from stealing data. You can also follow meeting security guidelines to keep your meetings available only to intended participants. When these precautions are taken, a video conference can be as private as an in-person meeting.

What about “End to End Encryption” (E2EE)?

Encryption, in computer security, is a way of encoding a message so that it can only be decoded and accessed by a user with the correct private encryption key. This is often used in communications protocols to ensure that only the intended recipients are able to receive and respond to a message. This is commonly used in many places, including the web - whenever you see a web address start with “https://” it means there is an encrypted connection between the web server and your browser.

End to End Encryption (E2EE) means that a message (either text or data, including video or audio) is encrypted by one user, then never decrypted again until it reaches other end users. This is less common as it requires a more advanced software platform to implement correctly, and although there are some communications apps which offer this benefit, most large scale video conferencing apps do not. Zoom uses encryption to encode messages from end users to their servers and back, but message data may not be encrypted through the entire process. This is a standard practice for most large-scale video conferencing apps due to the nature of how they are designed.