Beware of the security risks in using Zoom
As more of us turn to video conferencing platforms to conduct business and catch up with friends and family, the use of Zoom and concerns about its security have increased greatly.
The FBI announced it was investigating increased cases of “Zoombombing,” in which hackers break into your meeting with racial slurs, threats, and videos of extreme violence. (FBI Warns of Teleconferencing and Online Classroom Hijacking During the COVID-19 Pandemic)
Another article appearing in The Guardian ('Zoom is malware’: why experts worry about the video conferencing platform), states: “Security researchers have called Zoom, ‘a privacy disaster’ and ‘fundamentally corrupt’ as allegations of the company mishandling user data snowball.”
An April 3, 2020 report from CitizenLab (Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings) outlines the following security issues with Zoom:
- The encryption for meetings is not set to the standard that Zoom claimed
- Vulnerabilities in Zoom’s screen sharing feature allow unwelcome guests
- Privacy concerns such as Zoom sharing data with Facebook and other 3rd parties
- Last year Zoom had an issue where it installed a hidden web server on Mac computers
- There is documentation of a Zoom feature that removes a password prompt
- Using a simple 9-10 digit code to join a meeting (leading to Zoombombing)
The Provisional UW–Madison Online Collaboration Session Recording Policy (eff. March 16, 2020) restricts the use of Zoom (or any other conferencing tool that is NOT supported by campus) when discussing sensitive, restricted or internal data. Please use the campus-supported web conferencing tools: Webex Meetings (See Webex Meetings: Getting Started) and Microsoft Teams (See Office 365 - Getting Started with Microsoft Teams).
If you belong to the UW–Madison Health Care Component, contact your HIPAA Privacy or Security Coordinator with questions about the tools approved for creating, storing, and sharing Protected Health Information. A list of currently-approved tools for use with PHI is available at www.compliance.wisc.edu/hipaa.
If you choose to use Zoom for public conversations, please:
- Join from your browser (without having to download the application). When you click to join a meeting, the option to join via browser appears in tiny text underneath a more prominent link to "download & run Zoom". It reads: "If you cannot download or run the application, join from your brower."
- Download from the official site (https://zoom.us/download). Multiple sources report fake Zoom installers giving the attacker full access to your computer. (Source: bleepingcomputer.com, PSA: Fake Zoom installers being used to distribute malware)
- Follow the guidelines released by Zoom: How to Keep Uninvited Guests Out of Your Zoom Event.
- Follow the recommendations from the FBI: (FBI Warns of Teleconferencing and Online Classroom Hijacking During the COVID-19 Pandemic)
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Manage screen sharing options. In Zoom, change screen sharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.