A few months or even weeks ago many of us had not heard of Zoom. But with the dramatic and unexpected circumstances we now find ourselves in, most of us have had to get to grips with this particular technology. It is not the only software available to keep us connected online, but it is the one that everyone seems to be talking about.
However, there have been some suggestions that it is not very good at keeping our conversations or our systems secure. Recently a synagogue was conducting an online gathering via Zoom. Unfortunately they were joined by some strangers – a phenomenon known as “Zoombombing” who then proceeded to post anti-semitic abuse.
Then there were the pictures posted by the British Prime Minister, Boris Johnson, of the cabinet meeting he conducted by Zoom. His screenshot of the meeting was all over social media – a screenshot proudly displaying the meeting ID for all to try! Then there are concerns over encryption and what can actually be accessed by an outside party.
So how do protect our Zoom meetings from intruders or prying eyes?
Let’s deal with the encryption first. Zoom uses something called “transport encryption”. This means that the conversations between sender and receiver, whether audio, video or text are encrypted. It’s exactly the same technology used in websites that use https, or the green padlock. So it is not possible for someone to intercept your conversation in transit.
What it does NOT provide is end to end encryption. That means anything stored on the Zoom servers is either not encrypted or the encryption keys are known to Zoom and therefore your data could, in theory, be accessed by a rogue employee or anyone who manages to hack into Zoom’s systems. So there IS a security risk, and you need to decide if that is acceptable to you.
Zoom’s website states, “Communications are established using 256-bit TLS encryption and all shared content can be encrypted using AES-256 encryption.”
They also state:
“Zoom has implemented robust and validated internal controls to prevent unauthorized access to any content that users share during meetings, including – but not limited to – the video, audio, and chat content of those meetings.
Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list.”1
The bottom line is, how much do you trust Zoom? But then this is true of any cloud service provider. For the record, Microsoft Teams, a business focused alternative, also does not provide true end to end encryption.
Whereas we can’t do much about the encryption issue other than live with it (or choose not to use the service), there is much we can do as users to prevent unwanted guests at our Zoom meetings. Zoom has already enabled two useful security features by default.
The first is meeting passwords. The password is an additional piece of information to the meeting ID and a guest needs both of them to join. The cabinet meeting that had its ID leaked was indeed password protected so it was protected from casual interlopers even if it wasn’t good practice to share a screenshot with the meeting ID (a little cropping is all it would have needed!). Additionally, don’t publicise both bits of information on a public website. This was where the synagogue fell down – it made the login information available via its website2. So use meeting passwords – don’t turn off this feature.
The second is the concept of “the waiting room”. This means that anyone who joins now has to added by the host. So any person not invited can be evicted before they even have chance to interact with legitimate attendees. Again, we do not recommend turning this feature off.
Additionally there are some other things you can do.
- Disable the file transfer facility – this prevents participants from sharing potentially offensive or virus filled content.
- Disable “join before host” – this stops people from being able to access the meeting before the host has chance to “vet” them
- Set screen sharing to “host only”. Again, this prevents participants from sharing something potentially offensive
- Disable “allow removed participants to rejoin”. If you’ve thrown someone off, you don’t want them to try and rejoin!
Like with any application or piece of software the message is use with care. Zoom and other online meeting tools are a tremendous boon and are enabling us to to keep the economy going as far as possible. More businesses would fail without these tools. With that in mind, and observing good protocol, the benefits outweigh the risks.
As always, if you have any questions about the content of this article or any other IT related matter, contact us.