Security Concerns with Zoom

Security Concerns with Zoom

Sometimes the popular decision is not the best decision, and that seems to be the case with the choice of using Zoom for video conferencing. Zoom is facing the issue that companies like Facebook have in the past by becoming the target of lawmakers and scammers due to the massive amount of data they have amassed.

The news that has come to light over the last few days is quite alarming, and makes us feel a little better that we have not suggested the use of Zoom to any of our clients.

Here are some of the issues that Zoom Video Communications needs to address:

Mac issue – Any malicious website could activate Mac webcam with Zoom installed without the user’s permission. (Apple has resolved this issue on their own)

Selling data to Facebook and others. Zoom is accused of sending data to Facebook about a user’s Zoom habits, even when the Zoom account has no coalition to a Facebook account.

Zoom bombing” – where people take advantage of open or unprotected to take over screen-sharing and broadcast explicit material. The FBI this week warned users to adjust their settings to avoid trolls hijacking video calls. The bureau recommends requiring a password or using Zoom’s waiting room feature to screen guests, and never making teleconference links available on public social media posts.  Users can also set the screensharing option to “Host Only.”

The newest vulnerability, and most concerning to me, is the flaw that allows an attacker to steal Windows login credentials from attendees. The problem is with how Zoom’s chat feature handles links. If an attendee clicks on a tampered link, Windows will provide the attendee’s Windows login name and password. (It is hashed, but the hash is easily broken with free tools available on the internet) This vulnerability can also be used to launch programs on an attendee’s computer. By default, Windows gives a security warning before launching the program, but many people disable these warnings.

Lastly, Zoom’s claims to provide end-to-end encryption for all meetings but instead, according to TrustedSec founder David Kennedy, Zoom uses transport encryption which only secures the message from your computer to the Zoom servers. This means Zoom functions as a middleman in all Zoom video conversations and they have access to content. Very sneaky Zoom, very sneaky.

These reasons likely were key factors this week when companies like SpaceX banned their employees from using the Zoom app, citing “significant privacy and security concerns.”

We are all for boosting American based technology companies, and this detail always plays a factor in our decision making process, but we have never supported Zoom Video Communications mostly for the fact that we are fans of Microsoft’s solution. Based on the above information, we do not suggest the use of them now.

For people who do not want to take the time to setup a Microsoft 365 account, we suggest the use of the line of LogMeIn Inc. products that include GoToMeeting, GoToWebinar, OpenVoice, and GoToTraining, as they have good standing in regards to security and best practices.

The important thing to investigate when choosing a solution to meet your needs is who else is using the product, and do they have a solid reputation for paying attention to security.

If you want to discuss your options, contact any of our staff members at Advanced Systems Solutions. As we always say, it’s free to talk!

Like our Facebook page by clicking on the icon at the top right of this page to stay up to date with date with current alerts and information!

Disclaimer: The above information is not intended as technical advice. Additional facts or future developments may affect subjects contained herein. Seek the advice of an IT Professional before acting or relying on any information in this communiqué

Leave a Reply

Close Menu