As many businesses have experienced, Covid-19 forced us to quickly make a shift in the way that we conduct business. By mid-March, we moved all our in-person training sessions online. While we have been using Teams internally with great success and have provided extensive training in Teams, Excel, and cybersecurity, we have had little experience putting on webinars. We started by using Zoom and we are also experimenting with GoToWebinar. Due to all the media coverage on Zoom, we thought we’d share a technical explanation regarding these security and privacy issues.

Zoombombing is a thing

First and foremost, if you are involved with a public Zoom meeting (i.e. it does not have a password set or the meeting is not set to invite-only/private), everything in the meeting is open to the public. That means that anyone who is given or finds the meeting ID will be able to join the video call and see all text, links, and attachments. Public means public. Zoombombing can occur at public meetings. Smart Dolphins has added a password to our meetings. Specifically, we have embedded a password in the meeting link for a one-click join. Zoom is also apparently working on blocking walking meeting IDs and blocking systems that try random meeting IDs repeatedly.

Secondly, Zoom is built with some concerning programming practices. Up until Friday, April 3, Zoom was sending login and some statistics to Facebook through its login integration (unintentionally). Zoom also was found to not be using full end-to-end encryption, but rather client-server encryption. This means that you are encrypted between yourself and the server and not fully between all endpoints involved. Zoom has stated they are addressing this.

They were also found to be using a common key method of encryption (meaning If that key was ever stolen, it could make eavesdropping communication easier). And, as media has noted, Zoom does have common storage and logging to preserve recoverable meeting details on the server-side. It allows users to resume meetings, and this data is technically accessible by Zoom staff (for analytics, troubleshooting, etc.). While this is a very common practice used by almost all meeting services, it does raise concerns due to the reliability of Zoom’s internal security practices given the shortcomings revealed over the last couple of weeks.

Zoombombing is the unwanted intrusion into a video conference call by an individual, which causes disruption.
https://en.wikipedia.org/wiki/Zoombombing

What this means

In theory, this encryption and security key method is less secure. However, it would require a very high amount of technical labour, hardware and very fast fiber internet (around 10-100Gbps) in order to keep up with traffic going through Zoom’s network to prevent eavesdropping on a private or password-protected meeting. The scope required to hack is well beyond amateurs.

What you can do to protect your Zoom sessions

If you are using Zoom and the meeting is public (i.e. no password and can join with a shareable link without a direct invite), act accordingly and do not share personally identifiable information, company data etc. If you are hosting meetings, set a password on your meeting or set-up a private invite-only meeting. This will prevent zoombombing and better secure any information shared in the meeting. If you are discussing private information via files or chat, move the discussion to a more secure platform (Microsoft Teams is recommended).

Smart Dolphins does not believe that the security issues disclosed by the tech community are enough to warrant not using the professional subscription for general video conferencing. That said there are better, more secure options, and Smart Dolphins does recommend Microsoft Teams for internal collaboration.

Stay safe and stay calm!

Resources: