Beware the Zoom Boom

27 May 2020

The video conferencing platform has sharpened its cybersecurity features, but users should remain prudent.

Thanks to the world’s increasing need to conduct lives virtually, video conferencing company Zoom’s daily meeting participant numbers have ballooned to 300 million, sending its market cap skyrocketing to some $35 billion. Whilst some COVID-19 habits might prove temporary, the way society draws on communication software as a lifeline is expected to persist well beyond the current crisis. As employees begin to trickle slowly back into Israeli offices, and the UK begins to explore a pandemic exit strategy, it is clear that Zoom is here to stay.

Whilst Zoom is safe for most people, the growing reliance on its service by governments and the judicial system for sensitive operations has increased pressures on the company to tackle outstanding privacy and security vulnerabilities. Indeed, Zoom, having held a somewhat unsatisfactory record in the cyber arena, seems to have turned over a new leaf with its announcement last week of a “90-day plan” to revamp its security and privacy standards, the first milestone of which is a new version of the platform, Zoom 5.0.

Zoom has previously been met with criticism for the transmission of users’ data through servers in Chinese data centers. China’s cybersecurity laws, allowing the Chinese government to access data kept on local servers, have been heavily criticised internationally over fears for the possibility of cyber espionage. Companies who refuse to comply with Chinese data localization laws and to disclose their encryption keys to the government could face serious penalties. To combat this, Zoom 5.0 will allow paying customers to pick the data centers from which their calls are routed. Free users are unable to change their regions, but those outside of China will not have their data routed through Chinese servers.

Additionally, following reprimands over its misleading claims about its end-to-end encryption, Zoom has introduced GCM encryption to Zoom 5.0, intended to bolster the protection of data in transit and its resistance to tampering. However, the platform still lacks complete end-to-end encryption, compelling organisations which want to hold themselves to the highest possible standard to think twice when interacting with the platform.

Four precautions to protect your Zoom meetings

Change and lock your default settings, so that they cannot be changed at individual user level. Consider limiting the ability to share screens only to the meeting host – this feature

has been proven to be prone to abuse. It is also advisable to turn off the functionality allowing chats to be saved, since this is a particularly buggy part of Zoom. This feature also raises privacy questions – private chats between users should not be publically available after being saved. To prevent “Zoombombing”, the intrusion of uninvited users into a meeting, set up Host Keys, password protect your meetings, and make sure not to use your Personal Meeting ID (PMI) to set up new meetings – doing so can allow others who already have your PMI to enter other meetings in which you are also using your PMI.

Compulsory waiting rooms are also an efficient way of controlling who enters your meeting, since it gives the host maximum control over who is admitted. In this situation, the host first enters the meeting, and then lets everyone else in. It also means that, once the meeting is underway, people who then try to join will be kept in the waiting room until approved.

Recordings must be made sparingly and carefully, since the host has the power to record the meeting without the participants’ knowledge. It is therefore best practice to ensure that everyone in the meeting consents to being recorded before a meeting begins. Consider only permitting recordings to be saved to the cloud to enhance levels of security. Saving to the cloud means that once the recording is complete, it will only be accessible by the host and authenticated users.

Select a data center region, to have more control over where your meeting data is stored. As mentioned, paying Zoom users can now whitelist and blacklist data center regions when scheduling meetings and webinars.

Originally published by Globes, Israel business news – en.globes.co.il – on May 7, 2020


Article written by: Syvanne Aloni and Avishai Ostrin