Fast and Easy Video Conferencing Comes With a Price

Published on 10th April 2020 Author: Rob Black

Back when I was a kid, my grandfather would never talk about money on the phone. Even face-to-face, if he had to say the word out loud, he would whisper it, as if speaking normally would somehow invite a visit from nefarious forces.

I can’t really blame him. He was a first generation American whose Jewish parents had barely survived the Czars in Russia. (See Fiddler on the Roof for a fictionalized reenactment.)

Of course, this was long before the Internet, let alone videoconferencing. But I guess you could say that telecommunications paranoia is something of a family “Tradition!”

Which is why I’m concerned about the recent ubiquity of Zoom usage among my client companies. It’s a convenient and useful tool, but it comes with its share of weaknesses.

A Deficient Culture of Security

Every software company on Earth has bugs and errors in its code. Even with the best of intentions, mistakes are made.

But Zoom’s weaknesses stem from its security culture. Or, more accurately, the fact that it doesn’t have one.

Unlike Microsoft or GoToMeeting, both of which offer competing video conferencing platforms as well as other security-based products, Zoom is quite cavalier about security.

And that’s a problem, because the type of mistakes it makes and the steps it takes — or doesn’t take — to address them, can leave your organization vulnerable.

Some recent examples…

In July of last year, it was discovered that Zoom had a vulnerability that, among other things, allowed a bad actor to remotely take over a computer’s camera. The cause was not a simple coding mistake; the vulnerability was built in. Downloading Zoom essentially installed a web server on your machine.

Last month, it was revealed that Zoom’s IOS (iPhone) app was inadvertently sharing user data with Facebook, without notifying the user. But wait, it gets worse. They were doing this even if the user did not have an account with Facebook.

Most recently, Zoom conference participants have been the victims of “Zoombombing,” a practice in which uninvited attendees guess or otherwise uncover Zoom’s simple 10-digit meeting code, thereby gaining immediate access. It’s fun when somebody Zoombombs your virtual happy hour; it’s dangerous when they sneak into your Board of Directors meeting.

Those are just three examples, there are many more. In all cases, these situations were the result of a company prioritizing convenience over security.

Recommendations

Does this mean we advise our clients to avoid Zoom? Not necessarily. The service is easy to use and even as its usage has exploded over the past month, it remains a solid option.

But it does mean that you need to take certain steps to enhance your security:

Always require a password. As of the end of last week, Zoom has changed its default settings to require a password of meeting participants and enabled its “Waiting Room” functionality. However, both can be shut off. Don’t! These additional steps cut down on unwanted visitors.
Don’t use the same meeting ID over and over. Zoom provides the option to create a customized meeting ID (e.g., zoom.us/meeting/123456789). That’s easy to remember, but the more times you share it, the more people that know it. Let Zoom generate a unique ID each time.
Use a more secure system when necessary. For meetings in which the information is particularly sensitive, use a solution with more security maturity, such as GoToMeeting or MS Teams. These may not match Zoom’s ease of use or reliability, but they are better at protecting your privacy and information.
Stay vigilant. When email first came into popular use, businesspeople had to be reminded of the fact that anything they sent was potentially in the public domain. Video is no different. Your camera captures your every word and move and creates a permanent record.

Final Thoughts

One of the reasons we are seeing so many Zoom mistakes is that until now, security concerns were not part of the company’s decision making. That’s already changing. Over the next 6–12 months, I think Zoom will continue to improve in this way.

Until then, take a page from Grampy (my grandfather) and start your own tradition of telecommunications wariness!

P.S. Click here for additional security suggestions from Zoom.

Rob Black, CISSP

Rob founded Fractional CISO in 2017 and has helped dozens of companies improve their security posture as a vCISO. He consults, speaks, and writes on IoT and security. Rob has held product security and corporate security leadership positions at PTC ThingWorx, Axeda and RSA Security. He received his MBA from the Kellogg School of Management and holds two Bachelor of Science degrees from Washington University in St. Louis in Computer Science and System Science and Engineering. He is also a Certified Information Systems Security Professional (CISSP).