3rd June, 2020

To Zoom, or not to Zoom? Cybersecurity in videoconferencing

Online videoconferencing tool Zoom has spiked in popularity since the start of COVID-19 but concerns about its cybersecurity levels have been mounting. Here’s what you need to know.

Videoconferencing platforms have changed from being popular alternatives to essential methods of communication. In this COVID-19 world, they are the only way to simulate in-person meetings in remote work environments.

Of all the platforms that are available for business teams, US-based videoconferencing tool Zoom was the one that really took off.

By the end of April 2020, the platform was hosting meetings for 300 million participants on a daily basis, an exponential increase from the 10 million that it was hosting in December.

While Zoom’s share price skyrocketed as a result of this explosion in popularity, the communications company also came under heavy scrutiny for not having adequate cybersecurity in place.

This scrutiny caused many businesses, from large corporations to SMEs to back away from using the platform in fear that, through using it, the security of their sensitive and private data would be at risk of becoming exposed.

In response the issues that had been highlighted with the platform’s encryption and cybersecurity systems, Zoom announced in April that it would be suspending its work on feature expansion for 90 days to focus on improving its cybersecurity.

Understanding the risks

Irrespective of your business’s nature or size, being aware of what these cybersecurity threats are, and the measures that can be taken to mitigate the risks, is crucial and can give you comfort in knowing that your data is secure while connecting with your team in a remote setting.

To learn more about the nature of these cybersecurity issues and how an SME should go about mitigating the impact they might have, I reached out to Guy Givoni, CEO and co-founder of SecureStack and a seasoned cybersecurity expert.

One of the main reasons why Zoom became the videoconferencing tool of choice for so many businesses was because of its notably seamless user experience. Businesses were enjoying the fact that hundreds of participants could join a Zoom meeting through countless dial-in methods, and the ability to record information, share screens and manage participants was simply unmatched.

But according to Givoni, this easy-to-use system was strongly related to the platform’s cybersecurity woes.

“The platform has been known for years to provide good user-experience,” Givoni told The Pulse, “but what was exposed recently is its lack of proper encryption. If proper encryption was in place, it could definitely impact the platform’s performance.”

According to Givoni, this low quality encryption exposed the platform’s users to a number of risks. He narrowed them down to the following three:

1. Hijacking user data

Givoni highlighted was that Zoom’s encryption methods put the personal data of the platform’s users at risk of being hijacked.

Givoni drew from an article published by TechCrunch to further elaborate on how this hijacking could potentially take place.

The article showed how Zoom’s ability to automatically download its app onto a Mac computer without user interaction (which was always viewed as another user-friendly feature), allowed for hackers to infiltrate the user’s iOS operating system, and, through the use of malicious code, get their hands on private and sensitive data.

Givoni also mentioned that since Zoom hosts a lot of its data on overseas servers, this low quality encryption can allow for sensitive data to be hijacked by hackers from other countries, causing the use of the platform to be risky on an international scale.

2. Exploiting vulnerabilities

The second risk that Givoni highlighted was that Zoom’s lack of encryption and quality cybersecurity gave it the ability to exploit computer system vulnerabilities when operating the videoconference tool.

Drawing from that same TechCrunch article, Givoni explained that one of the ways in which the platform could exploit these vulnerabilities was in how it accesses the user’s camera and microphone.

Similar to most apps, in order for Zoom to access a computer’s camera or microphone, the user needs to provide their consent. While this request for a user’s consent does offer a level of protection, the method Zoom uses allows for hackers to inject malware that tricks an operating system to grant the same access of the computer microphone and camera to the hacker.

3. Zoom-bombing

“A new risk that exists when using Zoom is attracting unwanted attendance, or ‘Zoom-bombing’, where external parties break into your videoconference.”

Givoni explained that Zoom-bombing doesn’t only pose a threat to the sensitive information that might be being discussed during the videoconference, but it also allowed for the ‘Zoom-bomber’ to stream and share offensive material onto the screens of the conference attendees.

The common thread between all three of these risks was that they had surfaced due to issues with the quality of the videoconferencing tool’s encryption and cybersecurity efforts – ultimately putting the safety and security of the platform’s users at risk.

Stay in the know

Sign up for added insights and business-critical news from MYOB.

A valid email is required
Congratulations! You've successfully subscribed to our newsletter!
Something went wrong

Mitigating the risks

The good news is, that in late April, Zoom released the latest version of its software to the public, with a series of security updates that were designed to lessen the extent of the issues outlined above.

However, one feature that the company did not roll out as part of its software update was ‘end-to-end’ encryption, which means that as much of an improvement as this update provides, Givoni’s three risks still remain relevant to a certain extend.

So, if you are using Zoom and would like to further mitigate the extent of these risks, Givoni recommended a number of simple steps to take.

“As an SME, you can take a number of basic steps that can increase your general ‘cyber-hygiene’.

“Some of these steps include enabling multi-factor authentication on all of your systems, installing anti-virus software and keeping a backup of all of your company’s important data.

“As for mitigating cyber-security threats when using Zoom, always ensure that your meetings are password protected and enable the waiting room functionality so the host has more control over who can join the meeting.”

Givoni also recommended that users shut down the application right after the conference call finishes as another great way to decrease chances of running into cybersecurity issues.

“These videoconference tips, together with good cyber-hygiene practices will significantly mitigate the cybersecurity risks associated with using Zoom for most users.”

Safe alternatives

Given the inherent cybersecurity risk associated with using Zoom, it’s good to be aware of the various alternative platforms that can provide more cybersecure environments.

According to Givoni, for group videoconferences about highly sensitive matters, the platform Jitsi provides a more secure and encrypted environment than Zoom and can be considered a safer alternative for a business’s videoconferencing needs.

But in saying that, Givoni flagged that for sensitive one-on-one conversations, using Apple’s FaceTime app, Facebook’s WhatsApp Video tool or the videoconference platform called Signal are safest as they offer end-to-end encryption – something that neither Zoom or Jitsi offer at this stage.