• Skip to primary navigation
  • Skip to main content
  • Skip to footer
Logo of Agilient Security Consultants, Australia

Agilient Security Consultants Australia

Cybersecurity & Risk Management Specialists

Menu
  • Home
  • Industries
      • Aviation
      • Defence & Defence Industry
      • Government
      • Health & Hospitals
      • Corrections and Detention
      • Maritime
      • Aged Care Facilities
      • Mining, Oil & Gas
      • Public Venues & Events
      • Rail
      • Research and Education Industry
      • Telecommunications
      • Utilities
    • advice-colleagues-communication-newIndustries
  • Services
      • Cybersecurity
      • Protective Security
      • Business Resilience
      • Building Security Consultants
      • Security Audits
      • Pandemic Planning
      • Electronic Security
      • IT Disaster Recovery Plan
      • Security Consultants
      • CCTV and Security Cameras
      • Duress Alarms
      • Security Risk Assessment Consultants
      • Managed Security Service Provider
      • Protection against Vehicles as a Weapon
    • training-1Services
  • Solutions
    • banner-menuUnisys Solutions
    • CTO-Blog-110619-Header-GraphicLookingGlass Solutions
    • menu-bg-2Dell Technologies (RSA) Solutions
    • Sightline-Visualization-menuSightline Solutions
  • Resources
    • menumanagers-dealing-customer-agreTraining
    • working-together-newJoin The Tribe
    • Webinars_3-1.jpgUpcoming and Past Events
    • hacking-detected-shutterstock_newResources
  • Articles
  • About
    • About Us
      We are an Australian owned and operated security company specialising in risk, cybersecurity, protective security, crisis and business continuity management services.
    • frequently-asked-questions-smallFAQ’s
    • bg-menu-government-institutionsConsultant Registration
  • Contact Us
Contact Us

Zoom Data Security Issues

You are here: Home / General / Zoom Data Security Issues

Business is booming for Zoom, but so are concerns about its data privacy and security practices.

Use of the video conferencing service has soared amid the COVID-19 pandemic, as it is reliable and easy to use, especially for those working from home.

Zoom was developed primarily for business communications, however the COVID-19 pandemic has created a global escalation in remote work arrangements. Zoom is now also being widely used for virtual education, telehealth and online social gatherings.

Zoom has historically experienced security flaws, but more recently its data privacy and security practices have attracted significant media attention and scrutiny from the New York state regulator.

What are the specific concerns?

The New York Times recently reported that the office of the New York Attorney General is concerned that Zoom’s security measures are inadequate to handle the sudden surge in network traffic volume and properly protect sensitive user data.

They argue that Zoom has been slow to address security flaws e.g. vulnerabilities that could allow hackers to take over webcams.

News organisation The Intercept highlighted that Zoom audio and video calls do not actually support end-to-end encryption. End-to-end encryption implies that content is fully protected from third parties, including Zoom.

Encryption Issues

The encryption that Zoom uses appears to be similar to ‘transport encryption’ which secures the connection between a user’s computer and an external server. This resembles the way URLs using HTTPS secure the connection between a website’s server and the computer accessing it. Zoom’s website indicates that end-to-end encryption is supported.

Implications

The implication is that when you have a Zoom meeting, the video and audio content stays private from anyone spying on your Wi-Fi, but the content won’t stay private from Zoom.  Zoom claims that it does not directly access, mine, or sell user data.

Without end-to-end encryption, Zoom has the technical ability to spy on private video meetings, and could be legally compelled to provide recordings of meetings to governments or law enforcement agencies. Google, Facebook, and Microsoft publish transparency reports that disclose the country of origin, the number of government requests for user data they receive and the number that they comply with. However, Zoom does not publish transparency reports to help users understand how their data is protected.

Transparency reports are a highly effective way to disclose privacy threats. They inform our understanding of surveillance laws in different jurisdictions, network shutdowns and provide data on companies that are opposing improper requests for information.

ZoomBombing

ZoomBombing is a new trend where trolls are exploiting Zoom’s screen-sharing feature to share disturbing and/or offensive content.

To counter this, Zoom advises users to utilise the Waiting Room feature which allows the host to control when a participant joins the meeting. Meeting hosts can change the platform’s default administrative settings to ensure the screen-sharing option is disabled for everyone except the host, and meeting hosts can also mute participants. Those hosting private meetings or virtual classrooms can set up password protections that prevent uninvited users from joining.

Windows Issues

iTNews reported that Zoom has a high-risk security issue in its Windows client that can be used for limited remote code execution and, potentially worse, to capture and replay security tokens to access network resources.

iTNews also mentioned that the Zoom Windows desktop client is vulnerable to a high-risk Universal Naming Convention (UNC) injection flaw in how the app handles Uniform Resource Identifier paths.

A Motherboard article also mentions that Zoom’s Company Directory feature leaks email addresses and photos. The Company Directory feature is intended to pool users of the same domain name to make it easier to find colleagues in the same company. However, many users are claiming that their personal email addresses have been pooled with thousands of random people and that their personal data including full names, mail addresses, profile picture and statuses were all shared with strangers.

Zoom Phone App

The Zoom phone app also has data privacy and security concerns, and Zoom’s approach to resolving these issues has proven inadequate.

In response to Motherboard finding that the Zoom iOS app was sending analytics information to Facebook when users opened the app, Zoom removed the code.

Zoom subsequently issued an update to its app to remove the tracking software and added clarifications to its privacy policies, and are now facing a class-action lawsuit over the data the iOS app was sharing with Facebook.

Agilient urges all users of video conferencing phone and computer services to be vigilant with their security settings.

Online collaborative services, such as Slack and Microsoft Teams enable employees to collaborate online. Agilient favours MS Teams for its security protection quality.

Agilient’s expert consultants are available to assist you in addressing any security concerns during the current period of heightened risk. Please contact us for assistance with your cybersecurity.

Author: Phillipa Lee, Agilient Consultant

Tweet
Share

General coronavirus,  COVID-19,  cybersecurity,  encryption,  pandemic,  video conferencing,  working from home,  Zoom

Looking for a security partner? Get in touch with Agilient.

Looking for practical and cost-effective security and risk solutions for your government department, agency or company? Speak with Australia’s leading senior security, risk and resilience experts.


Looking for a pandemic planning partner? Get in touch with Agilient.

Looking for practical and cost-effective risk management solutions for your government department, agency or company? Speak with Australia’s leading senior risk and emergency management experts.



Footer

Agilient is a proud member of

Ai Group Defence Council
Australian Industry & Defence Network
Australian Security Industry Association
Sydney Aerospace & Defence Interest Group

Company and Licensing Details:

ABN: 37 157 911 441
NSW Security Master Licence # 410783087
ACT Security Master Licence # 17502184
Vic Security Registration # 878-460-40S
Qld Security Firm Licence # 3834422

Join The Tribe

Sign up to receive our regular Agilient newsletter including the latest security, risk and resilience updates

Sign up now

Copyright © 2021 Agilient · Level 3, 655 Pacific Highway, St Leonards, NSW 2065 · 1300 341 692