Zoom Vulnerability: Definition & Defense Techniques
Zoom security issues dominated our news feeds as 2020 came to a close. If you read every report, you likely became concerned that every meeting you attended somehow left you open to hackers and grifters.
We have good news.
Zoom officials read those reports too. In most cases, they patched problems within days. Few issues we heard about in the spring remain active today.
But you can still take commonsense steps to address Zoom security issues in meetings scheduled in 2021 and beyond. We'll tell you just what to do.
Zoom’s overall security landscape
Everything changed in 2020. The pandemic closed schools, shuttered offices, and closed yoga studios. Every meeting we had in person moved online. Most of us used Zoom for those meetings.
Zoom's growth was explosive. In December of 2019, Zoom hosted about 10 million daily meeting participants. In March of 2020, that number rose to 200 million.
Zoom's developers built their program with connection in mind. Their ideal user was:
- Corporate. These savvy people held formal meetings with clients or partners.
- Supported. They had IT departments supervising the work.
- Connected. Zoom was just one toolkit for these people. They could hold some meetings in person.
As the pandemic dragged on, everyone used Zoom. And sometimes, the platform stretched to meet needs the developers never envisioned. For example, few people imagined a day when court cases would be settled via Zoom. And no one thought a Zoom call would serve as a classroom for thousands of American children.
Hackers took advantage, and Zoom security breaches did occur.
Major Zoom security incidents
Just what sorts of things went wrong for chronic Zoom users? Let's walk through a few known incidents.
Known Zoom security breaches involved:
- Guesswork. Create a Zoom call, and the system generates a random ID number about 11 digits long. These meeting identifiers were relatively easy to guess. If hackers found them, they could join calls uninvited.
- Leaking. Use the iOS version of the Zoom app, and some analytics headed to Facebook, even if Zoom users had no active Facebook account.
- Encryption. Zoom developers told users that meetings were secured with end-to-end encryption. That language was misleading, as this form of encryption isn't possible with Zoom.
Status: Developers amended the language, but the encryption issue remains.
- Joining. Launch Zoom on OSX, and a vulnerability allows hackers to forcibly join a call and take over the camera. Kick them off the call, and they will rejoin with the same tactic.
- Offending. So-called Zoom-bombing involves an unauthorized user grabbing the camera and showing or shouting something offensive.
Status: New features allow administrators to lock down meetings so random attacks are harder to execute.
Notice that the majority of these Zoom security incidents aren't active. In most cases, Zoom developers changed the code and updated the software (and apps) within days.
Zoom security tips to follow
Lean on developers to help you keep Zoom safe and secure. When you see a problem, report it. But take commonsense steps yourself to protect your data.
Use Zoom safely by:
- Choosing your browser. Launch meetings on your desktop web browser, not through the app on your phone or computer. You'll always have the latest-and-greatest code with this method, even if you forget to update your apps regularly.
- Adding a password. Ensure that a password is attached to every meeting you create. Share it privately (not in a Tweet or Facebook post).
- Using waiting rooms. A virtual staging area holds participants, and you let them in after you've verified them. This option gives you control and can block malicious visitors.
- Requiring authentication. Go beyond a password and ask for verification on something like a phone. Require this step from all users, those with specific roles, or those belonging to specific groups.
- Making Zoom more secure with Okta Ensure that private meetings are protected. Pair Zoom with Okta. Use Okta’s Single Sign-On to enable access to Zoom, and surround those users with security. Find out more about how this collaboration works.
As in-person meetings and conversations return, remember that you have options. Don't lean on Zoom for sensitive conversations about things that should remain private. Pick up your phone and schedule a meeting instead.
Frequently asked questions
Q: How many Zoom vulnerabilities are there?
A: It's impossible to know that for sure. But Zoom's developers have responded to dozens of issues within the last year. Some problems were small (such as hackers decoding passwords based on arm movements seen on video) and others were large.
Q: Is Zoom safe to use?
A: For most conversations, Zoom is safe to use. Pair the technology with added security like Okta, and it's reasonably safe.
Q: Should highly sensitive conversations happen via Zoom?
A: Probably not. Zoom is not designed for high-level security clearance. If you can hold an in-person meeting, it's best to do so.
A Message to Our Users. (April 2020). Zoom.
Zoom Vulnerability Would Have Allowed Hackers to Eavesdrop on Calls. (January 2020). The Verge.
Zoom iOS App Sends Data to Facebook Even If You Don't Have a Facebook Account. (March 2020). Vice.
Zoom Faces a Privacy and Security Backlash As it Surges in Popularity. (April 2020). The Verge.