Zoom Security: Knee-jerk reactions – have we all gone mad?

Secure prison with brabed wire

Zoom security is broken! I find it bizarre that in the midst of a viral epidemic, under lock-down conditions where people are still roaming the streets and having family get-togethers, a single technical problem causes the world to go into a frantic panic.

I am, of course, talking about the spate of “bombings” and other purportedly dangerous loopholes in the now extremely popular Zoom video conferencing platform. 

Even more annoying to me is how the IT community, who should know better, have responded with knee-jerk reactions before researching the issues.  I.T. has always been those people who threw change control at everything and annoyed the business with our intransigence (for good reason).  Why now the sudden change of behaviour?

Zoom has received a lot of negative press this week:

  • Malicious people with time on their hands have been anonymously signing on to meetings and doing naughty stuff, because the links were easy to guess.
  • Zoom has been sending inappropriate data to Facebook and reportedly leaking user information.
  • Zoom have stated they have end-to-end encryption which apparently isn’t the case.
  • And so on…

Is Zoom a bad company or a dangerous technology?  Gasp!  Is Zoom a virus?

In the last month, COVID-19 has pushed the use of video conferencing technologies and many other online collaboration tools to the fore.  Zoom, which was one of the providers to have always offered a free option, and been very supportive of education, rapidly rose from about ten million subscriptions to two hundred million.  The platform is popular in education due to features such as breakout rooms, polls, and hand-raising.

It is easier to hit a large, nearby target than a small distant one

Large target like Zoom, and smaller target like Teams

In terms of cyber-attacks, Microsoft Windows is the most targeted operating system in the world.  This is not because it is the worst.  It is by far the most widely deployed platform in the world.  Hackers are smart, and they understand economics.  Why waste your time searching for a needle in a haystack if a piece of straw will do the job?

Zoom is now the most popular online conferencing tool in the world.  According to their CEO, they never expected such growth.  Who could?  How would you manage a twentyfold increase in popularity of your product overnight?  It sounds like a great problem to have, but most businesses would collapse under this growth as their supply chains would not be able to scale fast enough.

The alternatives, such as Microsoft Teams and BlueJeans are far below Zoom’s numbers right now.  So, if I decide I want to stick my dog wearing a pirate costume on an online cabinet meeting today, I will target Zoom.  If Teams is the flavour of the month tomorrow, I am going for Teams.

Is Zoom in bed with Big Brother?

Who knows?  Who cares?  According to the press everyone is.  I read several articles about Zoom’s Facebook and privacy “leaks” and can only interpret what I have seen reported.  What I sense is that the leaks were not intentional sharing of data, but technical bugs which have now been patched.

Stop Panicking

Stop panicking about Zoom and Video Conferencing

Within the space of three days, I have become aware of at least four organisations who, seemingly without consideration, blocked Zoom from their networks.  I am not sure that the impact of these gut-reactions has been carefully considered:

  • Who are you shutting out by blocking the technology? The Coronavirus has not changed the fact we are a global and connected world.  What happens if your suppliers and customers are still using Zoom?  You just turned them away from your business.  Can you afford to do this?  Are you big enough to prescribe what they should be doing?  Is it ethical, in a sliding economy where everyone is starting to feel pain?
  • All the conferencing technologies have vulnerabilities.  I was able to reproduce the Zoom bombing scenario on a different platform within five minutes.  By panic-pivoting (ooh, I claim that phrase!) it is likely that you moved to a technology you are less familiar with and exposed yourself to a greater chance of compromise because of this lack of technical skill.
  • Learn the system dammit! Most of the issues appear to relate to user error and ignorance, rather than technology.  This is my pet peeve.  Train your staff if you are a larger organisation.  If not, spend some time under the hood, and speak to your I.T. people.
  • Zoom is likely to be more focused on fixing security right now than anyone else.  They have announced a freeze on feature releases for the next three months just to review their security.  In the last three days I have seen two new patches released.  And frankly, their features are well ahead of the alternatives, so I am happy to wait three months for their next innovation.
  • Think about the stress on your colleaguesIf you elected Zoom as your platform of choice at the start of the COVID-19 crisis, I guarantee the company went through abject terror and intense handholding through a stressful transition, while people were also worried about their personal health and families.  By jumping, we are introducing stress in a time when people could do without it.

So, what should you do?

Zoom has already made significant security changes this week, including amendments to default settings to ensure people don’t forget to set the security right.  There are a dozen articles on Zoom specifically, including from the company themselves, so I’m not writing a training manual.

  • To paraphrase Andy Grove from Intel, “Only the Paranoid Survive”.  Think of your video conference like a meeting in the open plan of your office.  You may be behind doors, but someone might have left a window open. If you aren’t intimately familiar with everyone in the meeting, how do you know they aren’t going to run off to the coffee room and blab about “what Bob said” later?  Same principle.
  • Encryption is a technical process which turns data into hopefully untranslatable gobbledygook before it leaves your computer, which is then un-gobbled when it gets to the other side.  Zoom claims end-to-end encryption.  Some technical sites say “not so much”.  Encryption is difficult enough to maintain in a one-to-one transaction like email, and there are many hacker tricks to fool the unwary. 
    The problem with conferencing tools is that we now have multiple endpoints (participants) to secure. Encryption is only as good as its weakest link. That person sitting at the coffee shop who unwittingly connects to a fake wireless network (what we call an “evil twin”) could compromise the entire operation. This is not just a Zoom problem; this is an everything problem.
  • Avoid open meetings unless you are happy that anyone can come in and you are able to control this.
  • Use mechanisms in the system to identify people such as:
    • Setting conference passwords and only sending them to invited attendees.  Marketers hate passwords because they ruin the “User Experience”.  I think having naked Nazis dancing around my conference is a worse user experience than having to type a password.
    • Many conference facilities allow you to set up a waiting room.  This is like a check-in counter at a physical conference where guests sign in and get name tags and goodie bags.  The event coordinator screens and lets attendees through.  I have no idea how to handle the goodie bag but how about that for Zoom’s next feature release?
  • Consider having someone helping on the conference as a production assistant, especially on large events.  This person can be watching the chats, new joiners, and other activity, and evicting naughty people, without distracting you from delivering your message.
  • Limit screen sharing to only people you know will be sharing material.  In education this is tricky as we want our delegates to collaborate, but there are ways of pre-approving, or pre-loading content.
  • Control who can record the conference, including chats.  This is never perfect of course; if the content is sensitive, I could just record the audio with my phone, there is nothing you can do about this.  Apply the Grove principle.
  • You can often lock conferences down to specific mail addresses.  This becomes quite draconian in the educational context but for a sensitive business meeting, why not?

Will I get taken?

Probably.  I am opening myself up to ridicule by writing this article because the chances of someone in my organisation leaving a Zoom session open always exists.  You may read about me in the press next week, or not.  We are in changing times, and in changing times, we need steady leadership, even if occasionally we bump a rock.  The point is to remain calm, consider the situation properly, and think about the people who are looking to you for guidance.  Do not panic.