Are you using Zoom yet? It seems like every professional, student, homemaker has been using this app for varied reasons, blissfully unaware of its capacity to wreak havoc with their cyber security. With offices and schools around the world temporarily shut amid the coronavirus crisis, the video platform Zoom has seen overnight success.
So, what exactly is wrong with this app?
1. Zoom Bombings
On 30 March, the FBI announced it was investigating increased cases of video hijacking, also known as “Zoom-bombing”, in which hackers infiltrate video meetings, often shouting racial slurs or threats.
2. Lying about End to End Encryption
Zoom has falsely advertised itself as using end-to-end encryption, a system that secures communication so that it can only be read by the users involved, a report from the Intercept found. Zoom confirmed that end-to-end encryption was not currently possible on the platform and apologized for the “confusion” it caused by “incorrectly” suggesting the opposite.
3. Identical URL flaw
A researcher recently discovered that if he tried to log into the Zoom website with a Facebook account, Zoom would ask for the email address associated with that Facebook account. Then Zoom would open a new webpage notifying him that a confirmation email message had been sent to that email address. However, the unique identification tag in the Zoom confirmation webpage's URL was identical to the first ID tag. The end result of which is that one doesn’t need the confirmation mail at all and can hack into zoom account with something as simple as an Email ID.
4. Sharing of Personal Data
5. Chinese Servers
Zoom, a Silicon Valley-based company, appears to own three companies in China through which at least 700 employees are paid to develop Zoom's software. This arrangement is ostensibly an effort at labour arbitrage: Zoom can avoid paying US wages while selling to US customers, thus increasing their profit margin. However, this arrangement may make Zoom responsive to pressure from Chinese authorities. Or from Chinese programmers slipping backdoors into the code at the request of the government.
It is taking all this into consideration that The Ministry of Home Affairs (MHA) has issued that Zoom Video Communications meeting app is not a safe platform for video conference. The advisory, which is specifically meant for private individuals and not Government officials or officials for official purpose, highlights ways to prevent unauthorized entry in the conference room, prevent an authorized participant to carry out malicious (attack) on the terminals of others in the conference, and avoid DoS attack by restricting users through passwords and access grant. The following are necessary precautions that one must take:
· Set new user ID and password for each meeting
· Enable meeting room
· Disable join before host
· Allow screen sharing by host only
· Disable allow removed participants to re-join
· Restrict or disable file transfer option
· Lock meeting once all attendees have joined
· Restrict the recording feature
· End meeting (and not just leave, if you are the administrator)
With India now also raising an alarm, things are looking not so good for Zoom. The company is in the middle of a 90-day feature freeze mode where it is dedicating all its resources to secure its platform first rather than building new features. Therefore, ever privacy-minded person should understand that there is a very significant trade-off between security and the usability of this app.
Symbiosis Law School, Pune