Zoom Security Issues
Currently, the Zoom Windows client is vulnerable to UNC path injection in the client’s chat feature that could allow attackers to steal the Windows credentials of users who click on the link. This in itself, is serious enough for any business to consider its suitability…
The service has a long history of vulnerabilities, last year a privacy complaint in the US by the Electronic Privacy Information Centre (EPIC) alleged that Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable users web cameras without the knowledge or consent of the user. There have also been the “Zoombombing” issues where users of the platform are reporting that their meetings are being hijacked by hackers who project racist or otherwise hateful imagery and these hijackers are often targeting schools and universities.
One limitation of the Zoom service is that it has no “end to end” encryption (E2EE) which means that any information travelling across the internet can be interrogated and stolen. The company has admitted that although it explicitly gives users the option to hold an “end-to-end encrypted” conversation, in fact, it offers no such thing. Specifically, it uses TLS, which underpins HTTPS website connections which is significantly better than nothing, but it most definitely is not E2EE.
E2EE ensures all communications are encrypted between devices so that not even the organisation hosting the service has access to the contents of the connection. This means that Zoom can intercept and decrypt video chats and other data.
In common with many online businesses, Zoom gathers as much user information as possible including name, address, email address, phone numbers, job information, Facebook profile information, computer or phone specs, IP address as well as information uploaded while using the service. Meeting hosts can also track to see if attendees are paying attention with a feature called ‘attention tracking’, which reports if an attendee does not have Zoom in focus for more than 30 seconds.
Other Video Conferencing Platforms
There are of course other video conferencing platforms, here’s a shortlist of the other most popular services:
Google offers Hangouts and Duo as its two video meeting platforms, both offer “free” and paid versions bundled in with its G Suite line of applications. While Google Hangouts offers similar functionality to Zoom, it has a limit of 10 or 25 attendees per video conference, depending on the version used. It has a long history of security and privacy concerns and does not include E2EE. Duo though, is E2EE enabled and can support video meetings with up to 12 attendees.
Webex from Cisco includes E2EE for data in transit and for all media streams with restrictions for encryption keys to a meeting’s host and attendees. It has robust data centres and strong password enforcement and management. – They have a free version – https://www.webex.com/
Microsoft Teams offers a number of advantages, it is included with the Microsoft 365 packages and has E2EE. Microsoft is a major provider of networking, software, and cybersecurity services and it adheres to the strictest government and industry security standards and legal requirements. Teams is built on the Office 365 hyper-scale, enterprise-grade cloud, delivering advanced security and compliance capabilities. There is a free version of Teams – https://support.microsoft.com/en-us/office/welcome-to-microsoft-teams-free-classic-6d79a648-6913-4696-9237-ed13de64ae3c?ui=en-us&rs=en-ie&ad=ie.
In addition, we can arrange for trial versions of the enterprise and business platforms.
Every business, large or small needs to have a clear understanding of what its own security requirements are in order to make an informed decision. If you are in any doubt you should discuss this with your ICT provider or contact us for a free initial consultation.
Contact us today to find out more.