Over the past several weeks, there have been several security issues and vulnerabilities with the Zoom video conferencing platform, posing both security risks and embarrassing situations for users.
Issues and vulnerabilities discovered
Users and organizations have seen the following challenges:
- “Zoombombing”, where hackers attack Zoom meetings with slurs and pornographic images.
- Data sharing practices, including passing data to Facebook, several bugs that may compromise webcam and password security, and research suggesting that Zoom sometimes shares user data and encryption keys with Chinese developers.
- A class action lawsuit for not properly informing users about sharing data with Facebook.
Protecting your organization
The FBI has made the following recommendations for individuals and teams using the Zoom platform for meetings, and we’ve pulled together some best practices to support your team:
- Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private:
- Require a meeting password.
- Enable the “Waiting Room” feature so that you can see who is attempting to join the meeting before allowing them access.
- Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
- Disable the ability for others to Join Before Host.
- Disable all file transferring, annotations and the autosave feature for chats.
- Manage screensharing options. In Zoom, change screensharing to “Host Only.”
- Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated their software. In their security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
- Once the meeting begins and everyone is in, lock the meeting to outsiders (see our tips below) and assign at least two meeting co-hosts. The co-hosts will be able to help control the situation in case anyone bypasses your efforts and gets into the meeting.
- Lastly, ensure that your organization’s remote work policy or guide addresses requirements for physical and information security.