The number of people using Zoom has skyrocketed since the COVID-19 pandemic-related shift to remote working. Despite being designed primarily for business communications, Zoom is now also used for virtual education, telehealth and online social gatherings. 
The significant increase in the use of Zoom’s video conferencing software has also exposed the magnitude of its security vulnerabilities. Recently, Zoom’s data privacy and security practices have attracted significant media attention and scrutiny from the office of the New York Attorney General, other state regulators and the FBI.
Amid security and confidentiality concerns, organisations such as SpaceX, NASA and the Australian Defence Force have ceased using Zoom.
Zoom has responded by:
- Initiating a comprehensive review with external experts and users to understand all security and privacy concerns, and release a transparency report that provides information related to law enforcement requests for data, records or content;
- Implementing a “CISO council” to address security and privacy issues, increase penetration testing, and conduct a weekly webinar to provide privacy and security updates to users;
- Directing engineering resources to exclusively focus on security and privacy issues for the next three months;
- Apologising for falsely claiming that Zoom meetings and chats were end-to-end encrypted;
- Releasing fixes for Mac issues to mitigate the risk of hackers taking over Zoom webcams;
- Releasing an update that prevents all posted links, including normal URLs and UNC paths, from being converted into clickable hyperlinks. The Windows problem could have potentially caused password leakage;
- In response to the FBI’s warning and user advice to adjust their settings to prevent ZoomBombing (where trolls exploit Zoom’s screen-sharing feature to share disturbing and/or offensive content), Zoom enabled the Waiting Room feature. This allows the host to control when participants join the meeting. In addition, it is advisable to require users to enter a password before they access the Waiting Room. The host will transition all authorised users from the Waiting Room to the meeting when all intended participants have been granted access;
- Tightening its privacy policy which now states that it doesn’t use data from meetings for any advertising. Zoom’s privacy policy was criticised for allowing the collection of extensive data about its users ( e.g. videos, transcripts and shared notes) and sharing it with third parties;
- Removing the iOS app feature that enabled sending analytics data to Facebook, even when the user did not have a linked Facebook account; and
- Recently releasing a patch to address a Windows app flaw that allowed bad actors to gain root privileges and steal victims’ login credentials, and a patch to a flaw that allowed access to the mic and camera on macOS, which in turn enabled a way to record Zoom meetings.
Agilient urges all Zoom users to maintain effective security by ensuring their Zoom software is frequently updated.
Our expert security consultants are available to ensure that your organisation is appropriately protected from cyber threats. Contact us today to find out how we can assist you.