Intruders are learning how to hijack video calls on this popular platform
Video conferencing tools are quickly becoming a target of hackers who want to eavesdrop on calls and steal data from unsuspecting remote workers. ‘Uninvited guests’ are learning to crack meeting codes and break in.
But companies today are also falling prey to a new form of security attack called ‘Zoom bombing’ – in which intruders gate-crash an online meeting to video-stream pornographic or racist content. Recent attacks have prompted the FBI to step in.
And while Zoom had been hailed early on as a winner on Wall Street in the wake of the coronavirus pandemic, the company’s stock has been falling recently as a result of these security issues.
Earlier this year, research from IT security specialist Check Point Software identified vulnerabilities in the popular communication app, particularly with its meeting IDs, which are a string of nine to 11 random digits.
“The problem was that, if you hadn’t enabled the ‘Require meeting password’ option or enabled ‘Waiting Room,’ which allows manual participants admission, these 9-10-11 digits were the only thing that secured your meeting, i.e. prevented an unauthorised person from connecting to it,” Check Point said.
“Our researchers we able to predict ~4% of randomly generated meeting IDs, which [gives] a very high chance of success, compared to pure brute force,” the company said.
With nearly one in five users worldwide turning to Zoom, the app has easily become a target.
“As with any popular technology, along with the obvious benefits there are also risks,” says Omri Herscovici, who leads the Vulnerability Research Team at Check Point. The misuse of the app can lead to personal data breaches or business espionage, he explains.
How to secure online meetings
Herscovici shares four tips to ensuring your Zoom meeting is safe from hackers and ‘Zoom-bombers’:
1. Stay updated
“The updates that tech companies offer for their products not only add new options and features; they also address ‘bugs’ and security breaches found – such as the ability to discover and eavesdrop on meetings,” the security expert advises.
After Check Point discovered the vulnerability with Zoom meeting IDs, the app maker immediately went to work and bolstered its security protocols.
“Contrary to popular belief, attackers’ window of opportunity does not close after the security breach has been repaired, but only after users run a software update and receive the company’s product patches to address the threats. This means users who have not updated the software remain vulnerable,” Herscovici says.
2. Require a login password
“Zoom fixed the security breach and adopted our recommendations, with all scheduled meetings automatically protected by a password,” he says.
As with most platforms, keying in a password disclosed only to actual participants adds an extra layer of security. But to be fully protected, meeting organisers must take note of how participants are logging into the call.
Accessing the call by simply clicking on a hyperlink – which does not always require a password upon entry – makes the team more vulnerable to intruders.
“Anyone with the link can enter the call without having to show a call ID number or password,” Herscovici explains. He encourages users to log in via single sign-on if the company uses the tool.
The ‘Waiting Room’ option, on the other hand, enables managers to create a virtual ‘holding area’ that participants can access. Entry to the actual meeting room, however, requires managers to confirm the participants manually. (Some advanced options will allow for group check-ins.)
3. Manage the participants
Team leaders can also rein in “participants displaying inappropriate content by restricting the use of camera by participants,” Herscovici says. “The conversation manager can decide who can use their camera and microphone by clicking ‘Manage Participants.’”
4. Remember: what happens in Zoom might not always ‘stay in Zoom’
Zoom has nifty tools that let users record calls and export them as files, but meeting organisers need to keep in mind that such files can end up in the wrong hands.
“To reduce the possible dangers from using the recording tool, the call manager can decide which of the participants may record the call through the participant management window and click ‘Allow Record,’” says Herscovici.
Another danger, however: “The participant can always record the conversation using external software for recording the screen. Therefore, always assume that you may be recorded and act accordingly.”
“After the call,” he says, “if you have recorded it, ensure you don’t upload it to a shared platform like an information-sharing cloud that is open to other parties.”