In light of the COVID-19 pandemic during the month of March, Zoom usage has skyrocketed from 10 million to 200 million users daily. This increased usage has also brought the attention of security researchers and new security issues have been discovered. In response, Zoom has announced a 90-day feature freeze in order to focus solely on the security and privacy for its users. Zoom has pledged to take action, detailing five major security efforts including a transparency report. Ultimately, this focus on security will lead to the development of a more secure platform for all.
In an effort to keep our community well informed and most of all safe, we’ve created an FAQ in order to address the security concerns raised.
Zoom Security FAQ
Q: What is “Zoom-bombing” and how does it affect my ability to conduct an online lecture privately with my audience?
A: The term “Zoom-bombing” refers to the ability of hackers to enter a Zoom session and take over the display or audio in attempt to disrupt and cause chaos. Since late March, Boston University and Zoom have taken proactive steps to enhance the security of meetings and prevent the ability of intruders to enter and take over sessions. See below for the efforts made:
On March 25th BU’s Information Services & Technology team implemented guidelines for securing your meetings. These guidelines include instructions for removing an unwanted participant, protecting your meeting with a password, enabling the Waiting Room feature and controlling who can share content.
On April 8, 2020 Zoom released an updated client for all platforms which adds a “Security” option to the host’s in-meeting controls. This combines all of Zoom’s existing in-meeting security controls into one place and includes locking the meeting, enabling Waiting Room, and more. Users can also now enable Waiting Room in a meeting, even if the feature was not turned on before the start of the meeting. For more information, please see Zoom’s support article.
On April 27, 2020, Zoom released an updated client for all platforms which adds the ability for meeting hosts to report problematic participants to Zoom’s Trust and Safety team.
Security issues are continually being addressed by Zoom. Please make sure you are checking and updating the application for these enhancements to take effect.
Additionally, the Cybersecurity & Infrastructure Security Agency (CISA) issued guidelines for defense against Zoom-bombing.
Q: Can the host see my private chats?
A: No, the host is only able to see private chats sent or received by them directly. The person saving a meeting chat will save all public chat as well as any private chats they were included on. The host cannot save chats that do not involve them.
Q: Is Zoom sharing my information with Facebook?
A: It was discovered that the Zoom iOS application was sending analytics information (mobile operating system type and version, device time zone, device model and the device’s unique advertising identifier) of users to Facebook when the app is installed and being used.
On March 27th, 2020, Zoom issued an application update in order to disable analytics data being sent to Facebook. If you have not updated the application for iOS, please do so as soon as possible in order for this update to take effect.
Q: When I use the Windows version of Zoom am I exposing my login and password information?
A: The answer is “no” however a security researcher has discovered that attackers can use the Zoom Windows client’s group chat feature to share links in a way that will leak the Windows network credentials of anyone who clicks on them. Because of this, you have to be wary about clicking on links within a chat. Before you click, verify within the meeting that the link is credible and sent by someone within the meeting.
Zoom is currently aware of the issue and released an update on April 2, 2020. Please update your Zoom app to the latest version.
Q: I heard Zoom leaked user information. Is my information at risk?
A: The answer is “no.” This leak only affected Dutch users (a few thousand) and was the result of the “Company Directory” default setting for three Dutch domains. Since this exposure, Zoom has rectified the issue that resulted in the exposure and continues to monitor, maintain and update this feature so it doesn’t happen again.
What is the Company Directory setting and how did it expose data: By default, your Zoom contacts contain users in the same organization using the “Company Directory” setting. This setting automatically adds other people to a user’s list of contacts if they signed up with an email address that shares the same domain (except for publicly used domains including gmail.com, yahoo.com, hotmail.com, etc.) Multiple Dutch Zoom users signed up with personal email addresses and Zoom pooled them together with thousands of other people as if they all worked for the same company, exposing their personal information to one another.
For more information on this read the Business Insider story.
Q: I heard that there was a discrepancy with Zoom’s end-to-end encryption and its validity. Is my meeting information private and encrypted?
A: Zoom meeting information is fully encrypted when all parties are using the Zoom application. As such, there has been scrutiny about how Zoom is using the term “end-to-end encryption” which refers to data being encrypted at all times during its transport and only accessible to the communicating users. Because there are users that are not using the app directly (for example when calling into a meeting using a landline phone), encryption cannot always be applied.
Check out the following scenarios for how encryption is handled by Zoom:
In a meeting where all the participants are using Zoom, and the meeting is not being recorded, Zoom encrypts all video, audio, screen sharing, and chat content at the sending client, and does not decrypt it at any point before it reaches the receiving clients. In this scenario, where all participants are using the Zoom app, no user content is available to Zoom’s servers or employees at any point during the transmission process.
In scenarios where non-supported device such as a landline phone or a room-based system (think hardware used in boardrooms to facilitate meetings) which do not directly use Zoom, encryption as detailed above cannot be applied to that phone or device.
In order to achieve as much encryption across diverse communication channels, Zoom offers “Zoom connectors” which operate in the cloud in order to offer the same level of encryption as if using the app directly. For more information about Zoom connectors and it’s encryption methods, check out Facts Around Zoom and Encryption for Meetings/Webinars.