News & Events

Zoom’s Reported Security Flaws Explained

  • 17 April, 2020

Article, Cisco, Industry News, Security, Unified Collaboration

Since the lockdown, you’ve no doubt been inundated with invites to Zoom meetings whether at work or from friends. However, Zoom is experiencing some serious security compromises over the last few weeks that need to be addressed. In this article, we will take a look at some of the reported  major flaws in Zoom’s security.

Zoom bombing

The first issue that is worrying is nicknamed Zoom ‘Bombing’. Essentially Zoom bombing is the ability of anyone to infiltrate a meeting as long as they know the meeting number. In social meetings, this isn’t a major issue but rather more of an annoyance as bombers can post explicit images in the chat or make irritating noises.

However, in a corporate scenario, this is much more serious. Anyone can listen to business discussions where sensitive information is being shared. Recently the FBI warned about this danger and businesses using Zoom need to stay vigilant against this threat.

Leaks of emails and profile photos

When you create an account with Zoom you are put into a company folder with everyone else in your organisation with the same email domain. If you are using a well-known webmail client such as Gmail, Hotmail, Yahoo etc. an exception is made and you are not entered into a company folder.

However, many people have email addresses with smaller webmail clients that Zoom hasn’t identified. Therefore, anyone who uses that webmail is entered into a folder together. From this, you can see anyone else in the same folder’s email address, username and profile picture. This is a serious privacy issue and it is still unclear how Zoom plans to fix this.

You can read more about this here.

Potential file sharing vulnerability

File sharing is a vital part of collaboration with colleagues. However, Zoom has had to remove this feature due to a security issue they did not disclose. In an “ask me anything” webinar, the CEO of Zoom announced the vulnerability and stated that they would be switching the file-sharing feature off until further notice. Users of Zoom may struggle to collaborate effectively without this tool.

Zoom installer comes with malware

One of the most surprising developments in this story is that malware was discovered in some versions of the Zoom installer. This malware is a cryptocurrency miner that utilises your PC’s central processor unit and graphics card to solve mathematical problems to attain cryptocurrency such as Bitcoin.

This will inevitably harm your PC’s performance. Users of Zoom need to ensure that they only download the meeting client from Zoom’s official website or you may be at risk.

Lack of encryption on Zoom

When it comes to corporate meetings, organisations want end-to-end encryption, which Zoom claims it provides. It has transpired recently that some of Zoom’s claims about their encryption may be misleading. Zoom claims to use AES-256 encryption to encode audio and video but the Citizen Lab reported on April 3rd that Zoom has actually been using AES-128 which is a less advanced algorithm.

The Citizen Lab stated that they “discourage the use of Zoom at this time for use cases that require strong privacy and confidentiality”. This is noteworthy for organisations such as government entities, healthcare providers, or any business that handles sensitive data.

The CEO of Zoom recently spoke out to say they recognise that they need to do better when it comes to encryption on April 3rd. This is still unresolved.

Final note...

The soaring popularity of Zoom has revealed a whole host of security flaws. These will hopefully be fixed in the coming months but currently, it is unadvised to use Zoom as a corporate collaboration platform. If you are using Zoom for social purposes, we recommend taking care to prevent issues by making a unique password for Zoom and ensuring you always set a password to enter meetings.

If you are looking for an alternative to Zoom, we recommend Cisco Webex which has all the features of Zoom but has gained awards for its focus on security. Cisco is currently offering this platform for free during the Coronavirus pandemic.

New call-to-action