California Consumer Privacy Act, CCPA, Data Privacy, Personally Identifiable Information, Welcome

Zoom Facing Privacy and Security Scrutiny

Amid the coronavirus pandemic quarantine, Zoom Video Communications [NASDAQ: ZM] has skyrocketed to the top of iOS and Android app stores as one of the most popular video calling software. The video conferencing service is being used for everything – school classes, business conference calls, group exercise, group hangouts, etc. Because of its popularity, it is one of very few stocks that is actually increasing in value at this time.

However… Zoom’s infrastructure security is now facing backlash as security experts, lawmakers and even the FBI warn that the platform’s default settings aren’t secure enough. Enter “Zoombombing”. The term refers to cyber harassment reported by Zoom app users who have reported that some of their calls have been hijacked. Not only have these calls been disrupted, but the unidentified hijackers apparently shout hateful and obscene language or share pornographic images with all conference participants. This Zoombombing has gotten so prevalent that the FBI issued a news release to warn people of the threat.

Zoom’s Prior Issues with Security

Back in 2019, Apple released a silent update for Mac users removing a vulnerable component in Zoom, which allowed websites to automatically add a user to a video call without their permission…this basically let websites hijack Mac cameras.

Zoom calls are all linked to a randomly generated ID number that is used by participants to dial into a meeting. There’s been research done that suggests these 9 to 11 digit meeting IDs are easy to guess, allowing anyone to eavesdrop into meetings. Additionally, Zoom’s default settings do not encourage users to set a password for a meeting and allow any participant to share their screen. All of these gaps are feeding into the Zoombombing.

Zoombombing isn’t the only security and privacy issue. Zoom also: 1) was forced to update its iOS app to remove code that sent device data to Facebook; 2) rewrote its privacy policy after user information was reportedly leaked from the Zoom groups contacts; and 3) admitted that the “secure a meeting with end-to-end encryption” advertised on its site was actually misleading and that it is not possible to enable end-to-end encryption for Zoom video meetings.

California Consumer Privacy Act (CCPA) Issues

Zoom is now facing lawsuits that allege the company is illegally disclosing personally identifiable information (PII) to third parties. The two lawsuits filed earlier this week in CA seek damages on behalf of Zoom users for alleged violations of the CCPA. Security researchers are now discovering how Zoom works around operating system restrictions to get into the software on Mac computers.

FBI Recommendations

The FBI recommends exercising due diligence and caution in cybersecurity efforts. The following steps can be taken to mitigate teleconference hijacking threats:

  • Do not make meetings or classrooms public.
    • In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post.
    • Provide the link directly to specific people.
  • Manage screensharing options.
    • In Zoom, change screensharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications.
    • In their 2020 security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Users should ensure that their organization’s telework policy or guide addresses requirements for physical and information security.
Share this:

Leave a Reply