Safety and Security While Video Conferencing with Zoom
With much of the world shifting to working from home due to public health concerns with COVID-19, video conferencing is booming. Businesses, and even schools, are turning to platforms such as Zoom, Microsoft Teams, Google hangouts and other technologies to stay connected.
Zoom has come under fire in recent days due to security issues with the platform. A zero-day vulnerability has recently been disclosed, and numerous users have noted that Zoom bombers are joining open meetings and sharing undesirable content. Zoom has also been found to overshare data with Facebook via their iOS app, a problem now fixed. BleepingComputer recently reported about a newly found vulnerability in Zoom that allows an attacker to steal Windows login credentials from other users.
In response, SpaceX has banned the use of Zoom for company meetings as has NASA. Zoom announced that they’re freezing all new feature development to focus on security and privacy.
Houseparty, another video conferencing platform, has also come under scrutiny with some users claiming that Houseparty is enabling hackers to get into their social media accounts amongst other things. Unfortunately, there does not seem to be much evidence to support these claims and Epic Games has offered a $1 million bounty to anyone who can prove these claims.
With all of these news stories, is it possible to have a safe video conference? Are some platforms safer than others? Why is Zoom so popular even though it has been plagued by so many security and privacy issues?
Remote businesses like Wordfence have been using remote connection tools for years, and we’ve learned a few things. With these concerns, we wanted to take a look at the security of numerous video conferencing platforms and provide some tips to help you stay safe when connecting online, whether you’re a meeting host or an attendee.
Video Conference Options
There are a number of video conferencing options available, all with different capabilities. While not everyone has a choice of video conferencing options, decision-makers will need to evaluate which offering has the functionality they need. Zoom, facing intense scrutiny, will no doubt be forced to improve their security to remain viable. If security is paramount to your conversations, choose an option such as Signal for secure text communication. For video conferencing, Cisco’s WebEx offers end-to-end encryption and encrypted recordings at the file and logical volume levels.
Even with their recent troubles, there are many reasons why Zoom is so popular. It’s easy to use, inexpensive, reliable and convenient. When security is paramount, however, using an alternative with a better security history makes sense. The larger concern is the expectation of security with a widely used product. This lulls users into a sense of security when it is not warranted.
Perhaps the greatest benefit of the recent media focus on Zoom is the realization that we’re may never fully secure when sharing information online, and we should always be prepared in the event of a breach.
There are, however, some steps you can take to improve security when using Zoom.
If You’re Required to use Zoom as a Meeting Host
Zoom is the most widely known platform, and when participating we don’t often get to choose which system we’ll be meeting on. Sometimes our employers require a certain platform, or sometimes our audience expects it. If you don’t have a choice in which platform to use, there are still some steps you can take to heighten your meeting security.
This video reviews some settings in your Zoom account that can help prevent Zoom bombing and ensure that your attendees have a safe experience.
Leverage your Zoom settings. There are a number of settings in Zoom that can help you keep your meeting safe. Lock down your meetings with passwords, mute attendees on joining, and lock down screen sharing so that an attendee can’t take over your meeting with their screen without your permission.
Kick out users. You can kick a user out of your room. You shouldn’t have to if you’ve secured your Zoom account, but know that this is available to you. Click Manage Participants at the bottom of the Zoom window. Next to the person you want to remove, click More. From the list that appears, click Remove and confirm.
Share Zoom links carefully. Without any controls in place, a Zoom link will let anyone join. Don’t share your Zoom meeting link in public places like social media or other public forums. Hackers and pranksters have been searching for these and accessing meeting rooms at will, wreaking havoc on business meetings and even online schooling.
Lock your meetings. Once a meeting has started and everyone is in attendance, click Participants at the bottom of your Zoom window. In the participants pop-up box, you will see a button that says Lock Meeting. When you lock the meeting, no new participants can join, even if they have the meeting ID and password.
Using Video Conferencing as an Attendee
Don’t use Zoom chats for private messages. If you’re attending a meeting and want to send a private message to another attendee, be aware that when your Zoom meeting is being recorded, the room owner will receive a transcript of everything you say privately.
Don’t share personal information. As with any public forum, assume that anything you type into chat or say in a Zoom meeting, you are being recorded and you don’t have control of what happens to that recording. Don’t share personally identifiable information with anyone, whether private or publicly.
Turn off video and mute yourself unless needed. If you’re attending a class or meeting and you don’t need video or audio, mute yourself and turn off your video. This prevents video conferencing from inadvertently recording conversations in your home or exposing information you might not want it to.
Helping Kids Use Zoom
As many schools transition to distance learning, helping our kids understand the importance of security and privacy is important and a great life lesson.
Zoom has some resources for school administrators to help them get started, but don’t assume that a teacher is fully versed in all of Zoom’s tools. Many are teaching online for the first time, and we’re all under a little more stress than usual. If you’re able to support a teacher as a moderator, you’ll make the learning experience better for everyone.
For younger students, stay with your child during online video conferencing. Schools should be asking for parental consent for video conferencing, and minors are not allowed to create Zoom accounts.
For older kids, teach them good video conferencing etiquette, including muting when they’re not speaking, not using the chat function, and not downloading files via Zoom.
Ask teachers if students can use aliases instead of real names, and find ways to limit the amount and depth of personal sharing via any channel online, whether video or otherwise.
Can We Stay Safe on Video Calls?
Yes, we can. Scrutiny of any platform is never a bad thing, as security research ultimately makes technology safer in the long run. It’s heartening to know that Zoom is taking security and privacy very seriously, and that pressure from the greater community will heighten that commitment.
Knowing how to use the tools is our first line of defense. We hope that you use these tools safely and fully to stay connected to those who matter most to you.
UPDATE, April 3, 2020: Zoom announced today that they’ll be turning meeting passwords and waiting rooms on by default to strengthen security of your Zoom meetings. They’ve published an update with information about these changes here.
Thank you to Nate Smith for his research contribution on this post.
All product names, trademarks and registered trademarks are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.
We are a charity supporting youth clubs across Sussex in England. Your recently issued article about using Zoom would be a great resource for our members and to go on our website.
The first part will be irrelevant and hard to follow by much of our userbase but everything from the heading "If You’re Required to use Zoom as a Meeting Host" onwards would be of considerable use.
Could we replicate this article to our website and onto our newsletter with the appropriate attribution and logos as a public service to our members?
Hi Chris! We'd be honored to help your community, and we'd love for you to add attribution of the source. Thanks and stay safe.
Hi Kathy - hope you're happy with this: https://sussexcyp.org.uk/news/zoom-security-settings/
Great, Chris. I hope it's helpful to your community. Stay safe!
The number of participants is critical to manage. When sharing with large groups it is best to have someone who is not the presenter/host watching the people. In a classroom situation this person can enable and disable individual while the present is focused on the teaching. We use Join.me, GotoMeeting, Zoom, Avaya, Cisco and most of the other platforms because our clients what to use their product. All of these have problems. We use Teamviewer, Sharespace or Logmein to transfer files but only from one computer to another at a time.
Definitely a good point. Trying to manage a large meeting or webinar with just one person is impossible. Having a backup moderator and support always helps! Thanks for sharing what solutions are working for you!
I like Jitsi as an alternative to Zoom. Do you see any safety issues? Would you use it? (https://meet.jit.si/)
Hi Anders, I have not used Jitsi, so I don't have any data to share. I will take a look, however. Always looking for new technologies to connect with WordPress users!
Jitsi Meet is also a great alternative that's fully open source and encrypted. I'm running a deployment of it on a $15 VPS (Droplet) on Digital Ocean. Has worked well for me.
See my website for more: https://trevdev.ca/blog/jitsi-rocks/
Thanks for the info, Trev! I'm sure it will be helpful to many of those folks who have the capability to set up a deployment.
I really really have wanted to use jit.si. Every time I do I have problems - audio mostly, coming and going. Tons of glitches. Have finally given up and am warning others. Don't understand why your experience is so different!
Very time and very detailed! Outstanding work! Thanks so much
Hi Kathy, good tips! Please add these:
1) disable "allow removed participants to rejoin" which is checked by default. 2) Of course remember that if your panelist is dropped they can not get back into the room if you locked the room.
Interesting, my "allow removed participants to rejoin" was toggled off by default, but good point. Definitely doublecheck to ensure that anyone you kick out can't get back in. Thanks, Jason!
Thanks for the great article Kathy! I had been wanting to search for this type of info, but got your newsletter update instead. Good information that I was able to pass onto the appropriate parties, as I am the webmaster/tech person for some non-profits and businesses.
Also, really appreciate all you guys do at Wordfence keeping our sites secure, and love your Think Like a Hacker podcasts.
Thank you for the tips. When I saw the post, I had to read it.
Thanks for finding out Kathy and sharing the knowledge. I've translated your article (with your permission) in Dutch, people who are interested can find it here: https://lamper-design.nl/videobellen-met-zoom-is-dat-veilig
Even when i mute myself during a meeting, micro snitch tells me that my micro is active. it´s just getting inactive once the zoom call is finished. that would mean, they even "listen" if you are muted.
jitsi is the best btw ;)
Excellent info. Thank You!
Another of the MILLION reasons that I LUV Wordfence !! Thank you! I have sent this to all my clients that use zoom!!
You guys rock!
Many thanks indeed. I'm about to launch my online business and this is very helpful information. Kieron
Is GoTo Meeting better than Zoom?
Each meeting platform has benefits and drawbacks. We didn't do an analysis of GoToMeeting's security profile, but their site has some data.
Great Stuff, Kathy! I hope that you are staying well during this tumultuous time.
Security is biggest risk of every website or app... everyone wants that their website or app should be secure and hack free...we use wordfence for the securing our website from hacker and malicious links.
Thank you so much for your article. We are using it as the basis for a best prectices document which should be on our website in the next few days. Like everyone else, most of our projects and all of our meetings have been greatly modified, postponed or cancelled. Having the ability to host a Zoom meeting with some security if really a blessing for our club. By the way our signature focus is "Child Safety, Health and Education". The communities we support are counting on us and Zoom is a most useful tool