Is any video conferencing app secure?
Some security weaknesses are zero-day vulnerabilities, like the Zoom app’s download being vulnerable to a phishing scheme. Zoom leadership has since secured the install, but that is the stuff you can’t do anything about.
Other security weaknesses you can do something about, like password protection against Zoombombers. That is a setting, and it is enabled by default.
Zoombombers
Unwelcome guests spewing abuse is the stuff humanity (and news) is made of. For a recent piece in Wired magazine, Riana Pfefferkorn at Stanford’s Center for Internet and Society commented, “Enterprise platforms are now seeing the same abuse problems that we’ve long been used to seeing on Twitter, YouTube, Reddit, etc.… [where] strangers contact other strangers….”
Blood in the water
Are Zoombombs proof positive that Zoom is not secure? Regardless of the truth, the smell of blood in the water has got both hackers and cybersecurity hotshots in a frenzy to attack the app’s safety like sharks. Says cryptographer, @KennWhite, whose work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences, “It’s like everyone is driving a 1989 Geo and security folks are worrying about the airflow in a Ferrari.”
Good UX
I take White’s point to be that anyone still driving an 1989 Geo is comfortable in the driver’s seat. Good UX delicately balances security with usability. In the past, Zoom leadership has consistently erred on the side of usability, like disabling password protection by default.
But the vulnerabilities that cybersecurity hotshots like Matthew Hickey (@HackerFantastic) is reporting to BleepingComputer are a bit far-fetched. Hickey found that a UNC link in the Chat can be used to launch malicious software. OK, but you can’t do anything about that. Zoom leadership can (and has.)
Bad UX
Unfortunately, in response to the frenzy, Zoom leadership’s fix for a vulnerable UNC link is bad UX, way off balance between security and usability: ALL links in Chat, even normal URLs, no longer convert into hyperlinks. Bummer. There goes an elegant sharing tool.
Btw, this vulnerability assumes the hacker gained entry in the first place, which you can do something about: set a password.
So, is Zoom secure?
Yes — like you protect yourself against COVID-19 — if you follow the rules:
- Set a password and/or enable the waiting room.
- Don’t publish Meeting IDs or links.
- Set the screensharing option to “Host Only.” (Change that setting during the meeting, if you like.)
And lookout for phishing schemes like this one: Download our AI Corona Antivirus for the best possible protection against the Corona COVID-19 virus.
Too soon?